Build your own CMP vs pay for one: which path makes sense in 2026

The setup

Every site that loads non-essential cookies needs to ask the visitor first — that’s the regulatory thrust of GDPR, ePrivacy, LGPD, CCPA/CPRA, and a dozen other laws. The mechanism that does the asking, records the answer, and gates the tags accordingly is called a Consent Management Platform (CMP).

You can pay for one — Cookiebot, OneTrust, Iubenda, CookieYes, Termly, Usercentrics, Cookie Information all sell CMPs as a service, with prices ranging from “free for small sites” to five figures per year for enterprise. Or you can build your own, as we have for this site.

The decision is rarely “which is technically better” — both options work. The decision is which fits your obligations, your budget, and your team.

What a CMP actually does

Strip away the marketing pages and a CMP only has five real jobs:

1. Surface a notice the first time a visitor lands, explaining what cookies the site uses and asking permission for non-essential ones.
2. Record the choice in a way that’s recoverable across visits (cookie + storage), versioned (so legal updates re-prompt), and timestamped (for audits).
3. Gate the tags: while consent is missing or denied, no analytics ping, no ad pixel, no tracking script fires. When consent updates, tags wake up. Google Consent Mode v2 is the de-facto bridge for the GTM/GA4 universe; the IAB TCF v2.3 string is the bridge for ad networks.
4. Re-prompt when the policy changes, when consent expires, or when the user explicitly revisits their preferences.
5. Defend itself in an audit: produce evidence that consent was collected, with what specific text, when, and on which categories.

That’s it. Anything else — the language switcher, the dashboard, the integrations panel — is value-add.

The case for buying one

Commercial CMPs earn their fee on three fronts.

Regulatory plumbing they keep current. GDPR didn’t stop evolving in 2018. The DMA, the AI Act, the EDPB guidelines on dark patterns, US state laws, Brazil’s LGPD interpretive shifts — these landed every quarter for years. A vendor with twenty engineers tracking it is going to push updates faster than a freelance developer can react. If you don’t have legal counsel on retainer and a developer who reads supervisor authority decisions for fun, you’re paying the vendor to do that work for you.

TCF v2.3 + Google Additional Consent. If you monetize through the open ad ecosystem — Google Ad Manager, AppNexus / Xandr, header bidding — your CMP must be TCF-registered and emit the right consent string with vendor IDs, purposes, and special features. Not just “registered once” — actively maintained, with the Global Vendor List refreshed when vendors join or leave. This is not a weekend build.

Audit defensibility. When a regulator or a PII-conscious user asks you to prove that you collected valid consent for a given visitor session, the vendor can hand you a record: the prompt text shown, the version, the IP-anonymized fingerprint, the timestamp. Building that infrastructure yourself means dedicated logging, retention policies, redaction rules, and a way to query it. Not impossible, but not free either.

The integrations. Plugging a commercial CMP into WordPress, Shopify, or a Next.js SaaS app is usually a one-line config. The vendor maintains the bridge with GTM, with the ad networks, with the SCM tools that scan your cookies weekly to keep the disclosure list current. Building those bridges yourself is a year-round project.

The case for building your own

Where commercial CMPs get expensive is where DIY wins.

Cost predictability. Commercial CMPs price by sessions, sites, languages, or “consent recordings per month”. A growing publisher can find itself paying €600/month before the marketing budget is settled. A custom banner has zero recurring cost beyond the developer hours that wrote it.

Full control over UX. Every commercial CMP has its own design language. You can override their CSS to a point, but the modal opens at a fixed position, the buttons sit in a fixed order, and the language is editable but not infinitely. If consent is part of your brand — and for a site like this one, it is — you want the banner to feel like the rest of the editorial.

No “consent fatigue” theater. Some commercial CMPs are configured to maximize “Accept” rates by visual asymmetry — accept is the bright button, reject is hidden behind a “manage” link. That’s increasingly being ruled illegal under GDPR (the EDPB’s guideline on dark patterns is explicit). A custom banner you control can be balanced by default. We treat “Reject all” and “Accept all” as visually equal here. That’s a choice.

No third-party JS in your critical path. Many commercial CMPs ship a 100-200 KB JS payload that runs before any other tag. If your performance budget is tight — and a site that scores Core Web Vitals well ranks better — that’s measurable. A custom banner can be 3 KB minified, inlined into the head if you want.

No vendor lock-in. Switching CMPs midway is painful: consent strings are not portable, recorded preferences are stored in vendor-specific schemas, and the integration with your tag manager has to be redone. With a custom banner, the cookie format, the consent state schema, and the tag-gating all stay in your repo.

Where DIY breaks down

Don’t let the previous section fool you. There are scenarios where building your own is a bad idea.

• You participate in IAB TCF v2.3. If your ad networks expect a TCF consent string, you are signing up for a meaningful chunk of compliance work — and you have to be a registered CMP with the IAB. Don’t try to homebrew this. Pay a vendor.
• You operate across many regulatory regions with different defaults (EU vs US vs Brazil vs Singapore). Geo-detection, per-region consent text, state-specific notices (e.g. California’s “Sale or Share” language) — that’s the kind of detail that’s painful to maintain by hand. A vendor with a localization team is worth the bill.
• You do not have a developer who can ship CSS + JS confidently. A broken banner is worse than no banner — it shows up at 3am and traps every visitor in a blank screen. If your only way to update the site is the WP admin UI, install a CMP plugin and don’t touch it.
• You are processing health, biometric, or children’s data. Higher-tier consent obligations apply (GDPR Art. 9 special categories, COPPA for kids in the US). Buy something that’s been audited for those use cases. The cost of getting it wrong is enormous.
• You need granular vendor disclosure (“we share data with these 250 ad partners; here’s the list”). Commercial CMPs auto-update this from the Global Vendor List; doing it manually means tracking 250 vendors’ privacy policies. Don’t.

What we built and why

This site uses a custom 3 KB consent banner that ships in our WordPress theme, with four categories — strictly necessary, functional, analytics, marketing — wired directly to Google Consent Mode v2. When you accept analytics, GA4 wakes up. When you accept marketing, the affiliate click tracking starts firing. When you accept neither, only the security and functionality storage stays granted.

We’re not registered with TCF v2.3. We don’t sell ads through the IAB ecosystem. We don’t use behavioral retargeting. Our entire monetization is direct affiliate links to CMP vendors that pay us when readers click through and subscribe. So the IAB framework simply isn’t part of our compliance surface.

We rebuilt because:

• The brand voice extends to the consent prompt. Our banner uses the same dark canvas, the same lime accent, the same monospace kicker as the rest of the editorial. A vendor’s banner would have looked stapled on.
• We wanted “Reject all” to be visually equal to “Accept all” — no asymmetry, no friction. Most commercial CMPs default to a hierarchy.
• Performance budget. A 3 KB inline banner fires before any layout shift; a 150 KB vendor banner doesn’t.
• The integration is as simple as a gtag('consent', 'update', ...) call. No SDK initialization, no async race conditions with the rest of the site.
• We can show our work. The whole CMP — defaults, consent flow, persisted state, tag gating — lives in five files in the theme repo. If a reader wants to know exactly what consent looks like on this site, they can read the source.

If we were a SaaS startup or a publisher running ad networks, we’d pay for one. The math would flip. But for an editorial site with a single affiliate channel, custom is the right tradeoff.

How to decide

Run through these in order. The first “yes” tells you to buy.

1. Are you in the IAB TCF v2.3 ad ecosystem (ad networks, header bidding, programmatic display)? → Buy.
2. Do you operate in 3+ regulatory regions with different defaults? → Buy (or factor a localization budget).
3. Are you processing special-category data (health, biometric, kids)? → Buy and consult counsel.
4. Do you need a managed cookie-scanner whose disclosures auto-update? → Buy.
5. Is your developer time worth more than €200/month for the indefinite future? → Buy.

If all five are “no”, DIY is on the table. If you’re a publisher with a single tag manager, an analytics-only setup, and a strong design language, DIY is genuinely the better answer.

This isn’t a recommendation against the commercial CMPs we list. They earn their fee for the use cases above. The point is to be honest about which use cases those are, and to push back on the assumption that everyone needs the same level of compliance machinery. Most editorial sites don’t.