Consent management platform decisions are not a legal checkbox; they're a product and infrastructure decision that changes how every analytics, ad, and personalization call flows through your stack.
If your product touches ads, programmatic bidding, attribution, or per‑region personalization, a consent management platform (CMP) shapes revenue paths and auditability. A single misapplied banner can reduce measured conversions by 4–15% on ad channels and trigger fines that exceed $100k in worst‑case GDPR audits for mid‑market companies.
Direct answer: Build a consent management platform when off‑the‑shelf vendors would cost you more than $150k/year, when server‑side enforcement is required across 200+ third‑party integrations, or when product differentiation depends on consent flows (for example, subscription gating tied to opt‑in) that put >1% of ARR at risk; otherwise buy and instrument the vendor aggressively. This rule of thumb fits most B2B/SaaS companies under $50M ARR.
When to build a consent management platform
Buying a CMP from OneTrust, Usercentrics, TrustArc, or a regional provider typically means a baseline cost and a matrix of add‑ons. Typical enterprise quotes start at $50k–$150k/year for banner + preference center + basic DSR logs; advanced server‑side enforcement, data residency, and audit trails push quotes into $200k–$400k/year. Integration effort is often separate: expect $15k–$60k professional services to wire tags, CDP connectors, and DSR workflows.
Building a minimal, production‑grade CMP that handles banners, a preference center, and basic client‑side enforcement is feasible in 3–6 months with a 2–3 engineer team and product ownership. Using a $180k/year loaded engineer rate, three engineers for four months costs roughly $180k in salaries. Add a product designer and 0.5 PM (~$60k for the same period) and $20k of infrastructure and logging to reach an initial build cost near $260k.
Three‑year TCO compares differently depending on scope. Buy scenario: $80k/year vendor + $40k initial integration + $10k/year infra = ~$310k over three years. Build scenario: $260k initial + $75k/year maintenance (0.5–1 engineer) + $5k/year infra = ~$500k over three years. If you require server‑side enforcement, data residency in multiple jurisdictions, or plan to instrument 200+ pixels and 30+ endpoints, the build TCO narrows because vendor add‑ons commonly add $50k–$200k/year.
Switching costs matter. Moving CMP providers often requires revalidating 30–60 tags, updating tag‑manager rules, and redoing audit records. A migration can cost 3–8 engineer‑weeks (~$35k–$90k) plus potential data reconciliation effort. If you expect vendor churn within 24 months, that migration tax should be folded into the vendor TCO as a 20–40% premium.
Operational risk and latency are non‑trivial. Client‑side banners add near‑zero server cost but rely on browser behavior; server‑side consent checks add 40–150ms to API surfaces and increase egress. If you already run server‑side tag firing or use a CDP like Segment or RudderStack for server‑side forwarding, the incremental latency and cost are lower; otherwise expect an extra $2k–$8k/month in egress and compute for high‑traffic sites.
Build when consent is a product surface, seller when it’s a compliance integration you can outsource and audit.
What this means for a CTO
You have three levers to evaluate: financial threshold, integration surface, and product differentiation. Financial: if vendor total cost of ownership (SaaS + integration + migration risk) exceeds ~50% of a conservative three‑year build TCO, start a build spike. Use explicit numbers: compare vendor quotes with a build estimate using $160–200k loaded engineer costs and 20–30% recurring maintenance.
Integration surface: inventory your endpoints. If you have fewer than 50 third‑party endpoints and use client‑side tag managers (GTM), a vendor wins on speed. If you have 150–300 endpoints, server‑side CDP forwarding, or direct ad exchange integrations, building reduces brittle mapping work and vendor add‑on fees. Count each endpoint and attach an estimated integration time (5–20 hours) — this gives you a clear migration cost baseline.
Product differentiation: ask whether consent flows are core to your UX or monetization. If conversion differences by consent state represent >1% of ARR or your subscription model varies by data processing opt‑ins, treat the CMP as a product and build. Otherwise, buy and hold the vendor to SLAs, audit exports, and a documented rollback plan.
3-step decision checklist
1. Quantify revenue at risk and vendor cost: if vendor fully loaded cost (recurring + integration + projected migration) > $150k/year or impacts >1% ARR, run a build spike. 2. Count integrations: if you have >100 tag/endpoints or require server‑side gatekeeping for 3+ services, build. 3. Compliance & residency: if you must host consent logs in specific jurisdictions or provide immutable audit trails for 5+ territories, build.
Operationalize the decision. If you buy, negotiate API access, exportable immutable logs, and a 30–90 day exit plan in writing. If you build, scope a six‑week spike to prove server‑side enforcement (one API path, one CDP, one ad partner) and commit to a 12‑month roadmap with 99.9% consent enforcement SLO and a 48‑hour DSR SLA.
Implementation notes you can act on tomorrow: run an integration audit that lists each tag, required consent signal, owner, and estimated engineering hours; treat each as a ticketable piece of scope. Build a small test harness that emulates Google Ads, Facebook pixel, and your analytics endpoint; measure consent propagation latency and loss before you sign a vendor contract.
Restated thesis: a consent management platform is buildable, but only build when the vendor costs, integration surface, or product differentiation make the engineering program an investment rather than an overhead. When you choose to buy, instrument aggressively; when you choose to build, treat the CMP like a customer‑facing product with SLAs, versioning, and a migration playbook — otherwise you’ve traded one operational debt for another.
