Blog
ENPL

Cookie consent and GDPR for small businesses in 2026 — what you need to avoid fines

Cookiebot is 99 EUR/mo, Iubenda 27 EUR. For an agritourism, salon or one-person company that's absurd. Showing free / DIY setups that pass the regulator's audit.

·6 min read
#web-design#GDPR#small-business#compliance
Cookie consent and GDPR for small businesses in 2026 — what you need to avoid fines

Every other client asks me the same thing: "do I have to have that cookie banner?". The answer is boring and short, yes, if you embed anything beyond your own session cookies. And if you have Google Analytics, Plausible, Meta Pixel, Google Maps, or embedded YouTube videos, you have "anything beyond".

Second thing I hear: "but Cookiebot wants 99 EUR a month and Iubenda 27, I run an agritourism with two rooms, this is absurd". I agree. So I show three paths, free, DIY, and SaaS, and say which makes sense when.

What the law actually requires (PL + EU, 2026 status)

The Polish UODO and EROD have held a hard line since 2024:

  • Functional / strictly necessary cookies (session, cart, login), no consent needed, info in the policy is enough.
  • Analytics cookies, consent required. Yes, even Plausible/Matomo "privacy-first" technically need consent if they set a cookie or fingerprint. Most of these "cookieless" today actually don't use cookies, and then no consent needed (but check the specific version).
  • Marketing cookies (Meta Pixel, Google Ads, retargeting), hard consent.
  • Embedded social content (YouTube, Vimeo, Instagram, Google Maps), needs consent because these platforms set their own cookies.

Penalty: up to 4% of global turnover. Realistically for a small business in PL, UODO levies 5-50k PLN, but one jealous competitor's complaint is enough to start proceedings.

Variant 1 — "minimum viable" for $0

If your site has:

  • Only Plausible without cookies (e.g. self-hosted)
  • No Meta Pixel, Google Ads, retargeting
  • No embedded YouTube/maps

Then you don't need a consent banner. A privacy policy in the footer noting that you use Plausible, that you don't collect IPs, is enough.

I have this on a few demo sites. Plausible self-hosted (not SaaS Cloud, because cloud uses Cloudflare WAF which can log IPs), zero embeds, zero pixels. One link to /polityka-prywatnosci in the footer, done.

Variant 2 — your own consent banner in 30 minutes

If you have Google Analytics, Meta Pixel, or YouTube embeds, you need a banner. Simplest setup:

// components/CookieConsent.tsx
"use client";
import { useEffect, useState } from "react";
 
const STORAGE_KEY = "cookie-consent-v1";
 
export default function CookieConsent() {
  const [show, setShow] = useState(false);
 
  useEffect(() => {
    if (!localStorage.getItem(STORAGE_KEY)) setShow(true);
  }, []);
 
  const accept = (level: "essential" | "all") => {
    localStorage.setItem(STORAGE_KEY, level);
    setShow(false);
    if (level === "all") {
      // load GA / Pixel dynamically
      window.dispatchEvent(new Event("consent-granted"));
    }
  };
 
  if (!show) return null;
  return (
    <div className="fixed bottom-4 left-4 right-4 md:max-w-md p-4 rounded-xl bg-background border border-border z-50">
      <p className="text-sm">
        We use cookies for analytics. <a href="/privacy">More</a>
      </p>
      <div className="flex gap-2 mt-3">
        <button onClick={() => accept("essential")} className="px-3 py-1.5 border border-border rounded text-sm">
          Essential only
        </button>
        <button onClick={() => accept("all")} className="px-3 py-1.5 bg-accent text-background rounded text-sm">
          Accept all
        </button>
      </div>
    </div>
  );
}

Three rules it MUST satisfy:

  1. Equal buttons. "Accept" and "Reject" must look the same. You can't make "Accept" a big green button and "Reject" a tiny gray link. UODO has fined firms for exactly that.
  2. Default everything OFF. The banner shows before GA/Pixel loads, not after. Meaning you load <Script src="ga..." /> only after accept("all").
  3. Easy consent withdrawal. "Manage cookies" link in the footer that re-shows the banner and lets you change choices.

Variant 3 — when SaaS makes sense

Get Cookiebot/Iubenda when:

  • You have e-commerce with 5+ marketing pixels (Meta, Google, TikTok, LinkedIn, Klaviyo)
  • You do business in EU markets (DE, FR, where fines are real and frequent)
  • You don't have a dev in-house and don't want to maintain custom code

For an agritourism in Mszana, a hair salon, a one-person IT company, overkill. Variant 2 is enough.

Privacy policy — what MUST be in it

Most often skipped sections:

  • Data controller, full company info (name, tax ID, address, DPO contact if you have one)
  • Processing purposes, what and why (account, newsletter, analytics, marketing)
  • Legal basis, GDPR Art. 6(1)(a/b/c/f) for each purpose separately
  • Data recipients, Hetzner, Cloudflare, Resend, Stripe... list every processor
  • Retention period, e.g. "account data, until account deletion + 1 year"
  • User rights, access, rectification, deletion, objection, portability
  • Transfer outside EEA, when you use US-based services (Google, Meta), specify the basis (Standard Contractual Clauses usually)

I have a markdown template policy I use for clients. If you run something similar to agritourism / salon / practice, most points are repeatable, copy-paste with name swaps.

Most common mistakes I see at clients

  1. Banner loads GA before consent. GA pings GTM before you click "Accept". UODO sees this in the network tab in 30 seconds.
  2. "Continue without consenting" button hidden behind a small X. TJUE in 2024 made it clear: illegal. There must be a visible "Reject" button.
  3. Privacy policy from the previous developer, not adapted. Lists tools you don't use, missing tools you do. If anyone checks, you have a problem.
  4. "YouTube embed nofollow doesn't need consent", false. YouTube sets cookies on iframe load. Either youtube-nocookie.com, or consent.
  5. Forgetting newsletter double opt-in, entering an email + checkbox isn't enough, must be link confirmation.

What I do on my own site

Specifically on kamilkaletka.dev:

  • Plausible Cloud (official, not self-hosted), Plausible declares no cookies and no fingerprinting. Banner therefore not required. I have a separate note in the policy.
  • No Google Analytics, no Meta Pixel, don't need them, Plausible suffices.
  • No YouTube/Vimeo embeds, all videos hosted on Cloudflare Stream, no third-party cookies.
  • Privacy policy at /polityka-prywatnosci (PL) and /privacy (EN), full processor list (Cloudflare, Plausible, Resend, Vercel etc.).

This is a setup that meets GDPR without a banner. But it requires conscious tooling choices, not every client wants to accept them (Plausible is weaker than GA for detail marketing).

Pre-deploy checklist

Short list for every new deploy:

  • Privacy policy linked in footer (PL + EN if dual-language)
  • Processor list current (audit every new SaaS you integrate)
  • Consent banner (if you have anything beyond strictly necessary)
  • Banner with equal buttons, defaults all OFF
  • "Manage cookies" link in footer
  • Newsletter with double opt-in if you collect emails
  • Contact form with processing consent checkbox
  • DPO in policy if you employ one (most small companies don't have to)

Most of my clients walk through this in 30 minutes on a call. Privacy policy is a template, banner is 50 lines of React, form consents are a checkbox.

If you're facing an audit or want to make sure your site is OK, drop a line. I run a quick cookies + policy audit in an hour, you get concrete fix-lists with article numbers.