Skip to main content

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Alex Zappaprivacy, cmp, data

The hidden cost of 'free' consent banners: your data

There is a reason some consent management platforms are free, and it is not generosity.

The business model you do not see

A hosted CMP sits between your users and your site. Every consent decision (accept, reject, customize) flows through their servers. They know how many visitors you get, where they are from, what they click, whether they accept or reject, and which categories they toggle.

This is not hypothetical. It is the stated business model of several free-tier CMPs. The consent platform becomes a data broker, and your visitors’ privacy preferences become the product.

There is also a Schrems II angle here that nobody talks about. Consent records contain IP addresses and unique identifiers. That is personal data under GDPR. If the CMP’s servers sit in the US, every consent decision from an EU visitor crosses into a jurisdiction without an adequacy decision. You need Standard Contractual Clauses and a transfer impact assessment just to run a cookie banner. The CMP is not going to flag this for you. It is not in their interest to.

What is actually in those dashboards

Most hosted CMP dashboards show you aggregate consent rates. What they do not show you is what they do with the raw data. Cross-site tracking of consent patterns. Benchmarking against other sites in your industry. Selling anonymized (and sometimes not-so-anonymized) consent data to ad networks. Using consent data to train their own AI models.

You agreed to this in the terms of service, in the paragraph you skipped.

Self-hosted means no middleman

When your CMP runs from your domain and consent decisions never leave the browser, there is nothing to sell. The consent record stays in localStorage. The analytics stay in your own tools. No third party has a window into your visitors’ choices.

The real test

Ask your CMP vendor two questions:

  1. Do consent decisions touch your servers? If yes, what do you do with them?
  2. Can I self-host and still get all features? If no, the hosted version is the product and you are the channel.

Transparency is not a feature. It is the baseline.

May the source be with you.

Alex @ FreshJuice

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.