Cookie banner vs no cookie banner: when an indie app actually needs one in 2026

“Does my app need a cookie banner?” is one of the most common questions in indie-SaaS shipping threads, and the honest answer is “it depends — and the guidance varies country by country in the EU”. This post walks through what GDPR Article 7 + the ePrivacy Directive jointly require, what the major data protection authorities have said about analytics cookies, and where the lines sit in 2026 for a typical indie stack.

Confidence: low. Cookie law is one of the areas where national guidance diverges most. France’s CNIL, Italy’s Garante, the UK ICO, and Germany’s Datenschutzkonferenz have all published different positions on analytics cookies, session replay, and “necessary” cookies. The guidance below is a starting point; review the current position from your relevant authority and consult counsel before relying on it.

TLDR

The decision tree for a typical indie web app, paraphrased:

1. Is the cookie strictly necessary to provide the service the user requested? (Auth session, CSRF token, shopping-cart state.) If yes, most jurisdictions exempt it from consent. The ePrivacy Directive Article 5(3) is the source.
2. Is the cookie functional but not strictly necessary (theme preference, language)? Some jurisdictions consider these consent-exempt under “strictly necessary”; others require consent or at least a notice.
3. Is the cookie an analytics cookie (PostHog, GA4, Mixpanel)? Most EU authorities require consent before firing, with some exemptions for “first-party measurement” that meets specific conditions (e.g., CNIL’s exemption criteria).
4. Is the cookie an advertising / cross-site / retargeting cookie? Consent is required.

For US-only traffic, the rules are different — California’s CCPA does not require a pre-consent banner but does require a “Notice at Collection” and a “Do Not Sell or Share My Personal Information” link if you sell or share personal information.

The four categories in detail

Strictly necessary

The ePrivacy Directive carves out an exemption for cookies that are “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.” Auth session cookies, CSRF tokens, and basket-state cookies typically fall here.

For most indie apps:

• Supabase Auth session cookie — typically strictly necessary if the user is signed in to use the app.
• Vercel security cookies — typically strictly necessary for HTTPS / DDoS protection.

Functional / preference

Cookies that store a user’s language or theme. Some authorities consider these exempt; others require a soft notice. Most indie SaaS treats these as strictly necessary in practice, but check your local authority’s guidance.

Analytics

This is the contentious category.

• PostHog sets ph_* cookies by default. PostHog’s GDPR docs state that consent is typically required in the EU and offer cookieless and consent-aware modes (accessed 2026-05-25).
• Google Analytics 4 sets _ga and _ga_* cookies. GA4 Consent Mode v2 is Google’s mechanism for waiting on consent before firing — but Consent Mode v2 alone does not satisfy every authority’s requirements.
• Mixpanel sets mp_* cookies. The default position from most EU authorities is that an analytics cookie requires consent.

The CNIL has historically published criteria under which a “first-party measurement” can be consent-exempt: the data is used only by you, only for measurement, no cross-site joining, and only basic statistics. If your configuration is more elaborate (cross-domain tracking, identifying authenticated users, session replay), the exemption typically does not apply.

Advertising / retargeting

Consent required, full stop, in EU jurisdictions. The GDPR Art. 6 lawful-basis options effectively require Art. 6(1)(a) consent for non-essential profiling.

A practical decision tree

Your app’s setup	Typical position (verify locally)
Auth-only Supabase session, no analytics, no third-party fonts	No banner; document the strictly-necessary cookies in your policy.
Above + Vercel Analytics (cookieless by design)	No banner. Vercel Analytics is intentionally cookieless; verify version.
Above + PostHog in cookieless mode (PostHog supports this)	Likely no banner, but verify PostHog mode and your jurisdiction.
Above + PostHog default mode, GA4, or Mixpanel	Banner typically required for EU traffic before analytics fires.
Above + session replay enabled	Banner required + DOM masking; session replay is high-sensitivity.
Above + advertising pixels (Meta, Google Ads)	Banner required.

Common mistakes

• Treating Consent Mode v2 as a consent banner. It’s not — it’s the signal layer. You still need a banner that captures the user’s choice.
• Implementing a banner that fires analytics before the user clicks. The banner has to actually gate the cookie.
• Forgetting session replay. PostHog session replay records DOM activity and is one of the more privacy-sensitive cookies. Mask sensitive elements and gate behind consent in EU jurisdictions.
• Assuming US-only traffic = no banner needed. True for GDPR/ePrivacy, but CCPA still requires a Notice at Collection. Read the CCPA primary statute.

FAQ

Does Vercel Analytics need consent? Vercel Analytics is documented as cookieless. As of access date 2026-05-25, no consent banner is typically required for Vercel Analytics itself — but if you also run PostHog or GA4 alongside, those tools each need their own treatment.

What if I just don’t run analytics? Then the banner question goes away for analytics specifically. You may still have strictly-necessary cookies; some indie apps note these in the policy without a banner. Confirm the local position.

Can I use a “soft” banner (no decline button)? Most EU authorities now require a clear “Reject all” path that is as easy as “Accept all”. A banner without a decline button is likely not compliant in those jurisdictions.

Related reading

• CCPA ‘Do Not Sell or Share’ for SaaS that uses ad-tech retargeting
• GDPR processor list for tiny apps: who you have to name, where, and why
• Check your stack’s disclosure matrix