Back to Blog

Consent Management Platforms (CMPs): Build or Buy?

  • - Geri Kirovska
  • 4 min read

Building a consent management platform (CMP) may seem as simple as designing a user interface with “Accept All” and “Reject All” buttons linked to purposes and disclosures. However, developing a compliant CMP requires extensive work on the back end to store proof of consent and preference choices, handle visitors who request to alter data the website collects, and provide transparency into a site’s data collection and usage practices. Doing that without disturbing the user experience can quickly become a complex undertaking. 

Here are some things to consider to help you decide whether you should build your own CMP or turn to a service.

What You Need to Build a CMP

Technical resources

Besides knowledge and vision, you’ll need resources to build your own CMP. If you’re operating in-house, you probably already have developers, however, there’s more to building a CMP than just handing an engineer a copy of data privacy regulation (like the GDPR or CCPA) and telling them to run with it. You’ll also need a web or app developer—or both—to help build the technology, user experience (UX) designers to create the interface (UI), and web developer and implementation resources to set up tag management and conditional firing

In the course of development, research is essential to ensure that the technology being built has back-end compliance infrastructure, like recording and logging of all consent interactions. The CMP should also have interoperability with all on-page partners. 

Legal knowledge

Building a compliant CMP already takes a great deal of familiarity with the law itself, but maintaining a compliant CMP is even more resource-intensive. When thinking about appropriate legal resources, keep in mind that:

  • Laws exist in a continuum, not a single point in time. Knowing the regulations upon implementation is not enough, your legal counsel must stay up-to-date and provide feedback to your development team as regulatory authorities provide new rulings and guidelines.
  • A legal generalist may not be ideal at keeping track of privacy regulation nuances and trends over time. Consider a privacy specialist, who will provide a level of expertise in their approach to thinking through the scenarios of how privacy regulation can affect a business.
  • Regional experts add significant benefit in localizing one’s approach to country- or region-specific needs and requirements.

Understanding the ecosystem

It is important to note that tech and legal knowledge shouldn’t be treated as separate resources. Knowledge of GDPR and development resources are just the beginning. The real challenge companies face when building CMPs is found in the practical, real-life implementation of the platform in the ecosystem.

Having a functional, compliant CMP means understanding what the law requires and how it applies to the data ecosystem. This means knowing who the players are and who needs to be able to receive consent from you (e.g. on-page vendors). It’s also important to understand how the ecosystem works from a technical standpoint to better grasp how consent is transmitted and how to establish proof. Understanding how signals are passed from publishers to data management platforms (DMPs), supply side platforms (SSPs), and then finally to demand side platforms (DSPs) and any other relevant platform will help marketers understand the nuts and bolts of the CMP operation.

Pros and cons of building a CMP

The main advantage of building your own CMP is that you have all the control. Whether it’s the look and feel of the user experience, your preferences on how information is displayed and shared, or what makes sense to show users based on where they are in the customer journey, building a CMP in-house means having full ownership of the user experience. For that reason, many companies prefer to keep anything related directly to their customers or audiences in-house. 

Conversely, the biggest disadvantage of building your own CMP is for the same reasons. When taking full ownership of their CMPs by building them, companies typically move further away from their core business into unknown waters. Building a CMP is not as straightforward as it seems at first sight. From a strategic point of view, a company should approach development with caution. 

To avoid wasting resources when deciding to build a CMP, companies must always make a comparison between the cost it takes to build and maintain it against the cost of outsourcing. 

Even so, there are still several scenarios where building your own CMP makes sense.  For example, if you don’t need to transmit consent to the on-page vendors, you won’t need a CMP with extensive features.

Be ready to commit

Building a CMP is not a one-time job—it’s continuous work. As regulations evolve, the CMP needs to be adjusted accordingly each time a new court ruling affects our interpretation of the law. 

In fact, a number of clients have cited that the major cost-driver of CMPs is not the initial development but the ongoing maintenance required for a best-in-class, compliant technology. As Mila Dimitrova, Data Protection Officer at Nova Broadcasting Group Inc, said, “The dedicated workforce invested in keeping up with industry standards and current legislation and case law did not justify [the costs of maintenance].” 

If, after reviewing the recommendations for building a CMP, you conclude that the best option for your company is working with an established CMP, we can help.