Do You Need a Cookie Consent Banner? What Small Business Owners Should Know

Blue flower with pink buds on black background

Summary

Tracking tools like analytics and pixels can put your small business at legal risk. Learn if you need a cookie consent banner and how to fix it fast.

Smiling woman holding pink flowers

Stephanie Pleasants

A web designer and digital strategist helping women entrepreneurs create stress-free websites that attract clients and grow with their business. Through Instanticity, I share simple web design, blogging, and SEO tips to help you show up confidently online.

Woman working on laptop at home office table

A while back, posts started popping up in my web designer groups about small business owners getting demand letters from law firms. The claim? Their website tracked a visitor without consent. The ask? $5,000. Per visitor.

These weren’t tech companies. One was a photographer. Another ran a little online boutique. Businesses with websites that look a whole lot like yours.

Take a breath, though. You’re not in trouble. You just have a to-do, and by the end of this post you’ll know whether you need a cookie consent banner [you do] and how to get one set up without a law degree or a scary legal bill.

Quick heads up: I use referral links for Termageddon in this post because I genuinely use it on my own site and recommend it to clients. If you sign up through my link, I may earn a small commission at no extra cost to you, but you also save 10%. [That’s a win for both of us!]

Also important: I’m not a lawyer, and nothing here is legal advice. It’s one web designer sharing what she’s learned so you can make informed decisions about your own site. When in doubt, talk to an actual attorney.

Wait, My Website Tracks People?

Probably, yes. And I’d bet you didn’t set out to do it.

The tools you forgot you installed

Most website owners hear “tracking” and picture some shady data operation. But tracking tools hide in the most ordinary places:

  • Google Analytics – collects IP addresses and browsing behavior
  • Meta Pixel – even one left over from an ad campaign you ran years ago
  • Pinterest tags – same deal
  • Embedded YouTube videos – yep, those count
  • Google Fonts and Google Maps – loading these from Google’s servers can share visitor data too

If your site has any of these, and it’s highly likely you’re using Google fonts on your website, you’re collecting visitor information. Using these tools isn’t the problem. The problem is using them without telling anyone, and increasingly, without asking permission first. The Better Business Bureau has a solid plain-English overview of what privacy policies need to disclose if you want a neutral second opinion on all this.

The 5-minute self-audit

Grab a coffee and answer these honestly:

  1. Do you have a contact form?
  2. Do you have an email signup form?
  3. Do you use Google Analytics or any analytics tool?
  4. Do you have a Facebook, Meta, or Pinterest pixel installed (even an old one)?
  5. Do you embed YouTube videos, Google Maps, or Google Fonts?
  6. Do you sell anything on your site?

Answered yes to even one? Keep reading. Yes to number 3, 4, or 5? The next section is specifically for you.

The Lawsuit Nobody Warned You About (CIPA)

Here’s where it gets real.

What the California Invasion of Privacy Act actually says

The California Invasion of Privacy Act (CIPA) is an old wiretapping law that lawyers are now applying to websites. The argument goes like this: if your site uses tracking tools to record what visitors do without their consent, that’s a form of illegal eavesdropping.

I know. A wiretapping law from the era of actual telephone wires, aimed at your Pinterest tag. Welcome to the internet in 2026.

Unlike most privacy laws, CIPA lets individuals sue businesses directly. No government agency has to get involved. Small business owners have received demand letters asking for $5,000 or more per website visitor. Termageddon keeps a running guide on CIPA and website tracking claims that’s worth a read if you want the full legal picture.

Why “but I’m not in California” doesn’t protect you

Privacy laws protect people, not businesses. That means they follow the visitor.

If someone in California lands on your website and your Meta Pixel fires before they’ve consented, California’s law can apply. It doesn’t matter that you’re in Texas, Ohio, or Nova Scotia. Your website is open to the whole internet, and the whole internet includes California. Rocket Lawyer’s small business guide to digital privacy laws breaks down how these state laws reach across borders, and it’s eye-opening.

CIPA also has no revenue threshold. There’s no “too small to matter” exemption. Honestly, small businesses can make easier targets because they’re less likely to have lawyers on retainer.

What a demand letter looks like (and costs)

It’s usually a letter from a law firm claiming your site tracked their client without consent, with a settlement demand attached. Even a weak claim costs money to respond to. Hiring an attorney to make it go away costs more. Settling costs the most.

Prevention, meanwhile, costs about what you’d spend on a nice dinner out. We’ll get there.

What a Cookie Consent Banner Actually Does

A real cookie consent banner does one job: it stops tracking tools from loading until the visitor says yes.

Consent before tracking. That’s the whole point.

There’s a business upside here too, beyond the legal stuff. A Cisco survey found that 94% of consumers are more likely to trust companies that protect their data. Your visitors notice when you handle their info with care, even if they never consciously think about it.

Cookie consent banner vs. cookie policy vs. privacy policy

These three get mixed up constantly, so let’s untangle them:

  • Privacy policy – the document disclosing what personal info your site collects, what you do with it, and who you share it with. I covered which laws require one in my guide to website privacy laws.
  • Cookie policy – explains the specific cookies and trackers your site uses and why.
  • Cookie consent banner – the interactive piece that asks visitors for permission and actually blocks trackers until they agree.

You likely need all three working together.

Why that fake “we use cookies, OK?” bar doesn’t count

You’ve seen those little bars that say “This site uses cookies” with a single OK button.

Cute. Useless.

A banner only counts if it gives visitors a real choice, including the option to decline, and actually prevents tracking tools from loading until consent happens. A notification bar that tracks you anyway isn’t consent. It’s decoration.

How to Get Compliant Without a Law Degree

You’ve got three real options.

Option 1: Hire an attorney

A privacy attorney can draft custom policies for your business. It’s the most tailored route, and for complex businesses it might be the right one. Expect to spend anywhere from several hundred to a few thousand dollars.

The catch is maintenance. Privacy laws change constantly (dozens of new bills are in the works at any given moment across the US, EU, UK, Canada, and Australia), and every change potentially means another call to your attorney. Budget for the relationship, not just the document.

Option 2: Copy a template (please don’t)

I get the temptation. Free template, ten minutes, done.

But a privacy policy has to accurately describe your practices, the laws that apply to your visitors, and the tools on your site. A copied policy almost never does, which means you’re publicly making promises your business doesn’t actually keep. Regulators treat an inaccurate policy as a deceptive practice, so a bad policy can hurt you more than having none at all. Termageddon wrote a whole piece on why copying a privacy policy backfires, and I co-sign every word.

A static policy has the same problem in slow motion. It was accurate the day you pasted it in. Then the laws changed and it quietly went stale.

Option 3: An auto-updating cookie consent banner and policy solution

This is what I use and what I offer to set up for my clients: Termageddon.

One license includes a privacy policy, cookie policy, consent banner, terms of service, disclaimer, and EULA. You answer a questionnaire about your business, it figures out which laws apply to you, and it generates everything. Then it monitors privacy laws and automatically updates your policies when things change.

Set it up once. It stays current. [It’s basically the “let it go” of legal compliance… did you sing that? Sorry not sorry.]

For what it’s worth, I didn’t pick it because of the referral program. I picked it because it was co-founded by a privacy attorney and it’s the longest running policy generator listed as a trusted vendor by the International Association of Privacy Professionals. The referral link came later, after I’d already been recommending it to clients for free.

How this works on a WordPress site

If you’re on WordPress, setup is genuinely simple. You generate your policies in Termageddon, then paste an embed code onto your policy pages. The consent banner installs through a WordPress plugin, which can even show the banner only to visitors in regions that require it, so you’re not annoying everyone else. Although, I recommend just show it to everyone, it’s not that annoying.

The embed code is the quiet hero here. Because your policies live in Termageddon and display through that code, updates push to your pages automatically. You don’t touch a thing.

Not on WordPress? Not a problem. Termageddon can be used on non-WordPress websites also.

What I Do on My Own Site

I don’t just recommend this. I run it.

Instanticity has a contact form, an email list, analytics, and a shop, which means I collect personal information every single day. My privacy policy and cookie policy are both generated and maintained this way, and my consent banner blocks trackers until visitors opt in.

When a new privacy law passes, I get an email letting me know my policies were updated. That’s the whole task. After 20+ years of building and maintaining websites, I’ve learned the best systems are the ones you don’t have to think about.

The Bottom Line

If your website uses analytics, pixels, embedded videos, or fonts loading from Google, you very likely need a cookie consent banner backed by real policies. “I didn’t know” isn’t a defense, and the demand letters aren’t slowing down, they’re becoming more common.

The fix takes about an hour:

  1. Run the 5-minute audit above
  2. Set up Termageddon, or whichever compliant solution you choose, and answer the questionnaire honestly
  3. Add your policies and consent banner to your site
  4. Get back to running your business

Rather have someone handle it for you? Compliance setup is exactly the kind of behind-the-scenes work I take care of for my website care plan clients. Not a care plan client? Reach out and we’ll get your site covered.

Frequently Asked Questions About Privacy Policies

Does this apply to me if I’m not in California or Europe?

Yes. Privacy laws follow your visitors, not your business address. If people from California or EU can visit your site, those laws can reach you.

Is a free privacy policy template good enough?

Usually not. Templates aren’t tailored to your actual practices or the laws that apply to your visitors, and they don’t update when laws change. An inaccurate policy can create more risk than it removes.

You May Also Like.

The problem isn't that you don't have lead magnet ideas - it's that you can't pick one. Here are five simple freebies that work for coaches, designers, VAs, and consultants, plus a quick filter to help you choose the right one and actually launch it.
Small websites are getting sued over everyday tools like Google Analytics and old Facebook pixels. Find out if your site needs a cookie consent banner, what the CIPA lawsuit wave means for you, and how to get protected in about an hour (no law degree required).
Not sure what a lead magnet is or why you need one? Here's the plain-language version. Learn what a lead magnet actually does, why your email list matters more than your follower count, and how one simple freebie can start building real connections with your ideal clients.

Your First 3 Emails, Already Mapped Out.

The Welcome Sequence Starter Kit is a plug-and-play framework with prompts, subject lines, and send timing for the 3 emails every new subscriber should get. Just fill in the blanks and hit send.

This field is required.