Answering the “build vs. buy” question for cookie consent tools

With the alphabet soup of data privacy legislation growing every day, emerging and established businesses alike have to decide how they’ll approach compliance.

Consent management sits at the top task of their compliance to-do list. As of this writing, European data protection authorities have levied over €1.6 billion in fines to enterprises and small businesses alike, often because of the use of cookies without user consent.

In the US, five different states have their own data privacy laws, with the promise of an eventual federal data privacy bill on the horizon. Enforcement authorities will be eager to prove that their laws have teeth, especially in the early days after they go into effect.

Noncompliance can be expensive, but becoming compliant can be painful as well, especially if the budget didn’t account for the need to become compliant with cookie laws.

Businesses need to ask themselves: Which is better, building an in-house cookie consent tool or buying one from a third-party vendor? Let’s dive into the pros and cons of each.

Pros and cons of building your own cookie consent tool

Pros

Gain total control

The main reason to build your own cookie consent tool is to gain more control over the end product. Building it yourself means you can take a design and developmental approach that prioritizes your requirements, rather than what a third party had in mind for their product roadmap.

You might, for example, decide to build a solution using the Interactive Advertising Bureau’s Transparency Consent Framework (TCF), which allows third-party vendors to categorize their cookies and enables publishers (i.e., you, the website owner) to turn those cookies on or off based on the user's consent choices. Or, maybe you decide to manage consent primarily through Google Tag Manager (GTM), using it to fire or block cookie tags based on the users’ consent preferences. You could take both approaches, or a different approach entirely. Once you select a vendor, however, you’re stuck with their preferred development approach.

Beyond just the development approach, you could configure your cookie consent banner to make it feel less intrusive, to optimize for consent rates (which we recommend against, as it can render your cookie consent banner non-compliant), to match your brand, and so on.

You could choose what happens to the actual consent data for your own analytics or record-keeping purposes, host the consent system on your own server or in the cloud, design your tool for one regulation in particular or another, and configure and tweak your tool in virtually any way so long as it complies with the governing data privacy law.

Some third-party vendors offer significant customizability in their tools, some offer less customizability, but none offer as much customizability as building your own tool affords you. If absolute control is important to you, then building your own cookie consent banner system might be an attractive option.

Save on upfront costs

If you’re a solo-entrepreneur, a hobbyist, or otherwise an individual with access to more time than capital, then building your own cookie consent tool could be a viable approach.

Even for the smallest teams, however, the cost of building a tool is far greater than buying one. Legal consultation and development hours are costly resources that quickly add up. Essentially, if you have to pay someone else to develop a cookie consent tool for you, then building an in-house solution will quickly become more expensive over the long term. If you can do the work yourself, then building may be a way to get a minimum viable product off the ground.

Cons

Exposes you to legal risk

With greater control over your cookie consent tool comes greater risk. If something goes wrong and a users’ consent preferences are lost, if their data is collected when they didn’t give consent, or if your security measures accidentally expose user data that was meant to be deleted, you’ll be fully liable.

The fact is that no matter how diligent you are in adhering to data privacy regulations and developing your tool, you won’t be able to match the level of diligence that a company whose primary business hinges upon keeping its customers compliant. Thus, building your own cookie consent tool automatically increases your risk relative to buying.

More complicated than at first blush

Building a cookie consent tool isn’t as simple as building a banner with an “Accept All Cookies” button and a “Reject All Cookies” button. You need to meet specific legal requirements and actually execute on what you tell users you’re going to do.

There are businesses that put up faux cookie consent banners that aren’t connected to anything on the backend, banking on the odds that they’re too small to be noticed by data protection authorities. This usually doesn’t work out for them.

A functional cookie consent tool needs to:

• Hook into the various cookies on your website
• Drop them into the user’s browser or block them based on their consent preferences
• Store consent records and update them if the user changes their mind later
• Have a minimal impact on your website’s performance

Obviously, all of this can become very complicated very quickly.

You’ll likely end up with a non-scalable point solution

Especially considering the technical difficulty of building a cookie consent tool, the odds are good that the solution you’ll build will be designed to meet your compliance needs as they stand now, and not as they will be in the future.

What happens if the law changes? What happens if you start receiving data subject access requests (DSARs) at an unsustainable rate? What happens if you expand to a new region with new requirements for cookie consent? Each of these will require updates or expansions to your tool that may not have been accounted for in the original scope.

Requires a long-term commitment

As pointed out above, you’ll need to continue to update your cookie consent tool on an ongoing basis. Not only will this consist of regular maintenance and bug fixes, but you’ll also need to stay up to date on the latest in privacy law. Ultimately, compliance is a process; not a one-and-done activity.

Creates opportunity cost

While you’re developing your cookie consent tool and maintaining it in the future, what aren’t you doing? The time and resources you spend on your cookie consent tool could be better spent generating revenue, seeking additional funding, strategizing, and more.

Pros and cons of buying your own cookie consent tool

Pros

Rapid compliance

Once you evaluate, buy, and implement a cookie consent tool, you won’t have to spend much time thinking about it anymore. Building your own tool requires you to move through the entire software development lifecycle — procuring a cookie consent tool is always going to be faster.

That means you can:

• Launch your website faster
• Start offering your products or services faster
• Recoup your investment into compliance faster
• Gain market share faster

For businesses that prioritize time to market, buying a compliance solution is a clear winner over building one in-house.

Risk distribution and reduction

When you agree to use another vendor’s compliance products, you are likely reducing your overall legal risk. If you build your own cookie consent tool in-house and something goes wrong, your organization will bear 100% of the responsibility. If you use a third-party vendors’ tool and something goes wrong, there’s the possibility that the fault lies with the vendor, and you may have recourse under your agreement with them.

Best practice is to look for a consent management vendor that stands behind its platform. Osano, for instance, offers a “No Fines, No Penalties” pledge — if you’re found to be noncompliant as a result of using our platform, we’ll pay any resulting fines up to $200k.

Data privacy vendors are well aware of this risk, and they have a brand reputation to maintain as well. Not only could they be liable if one of their products was found to be noncompliant, nobody would buy from them ever again. Because compliance is their entire business, they’re able to spend far more time and effort on compliance than any other type of business could justify.

Scalability

Building an in-house solution often results in a business slowly slipping out of compliance as the law changes and as the organization’s focus on compliance diminishes. Since a compliance vendor needs to keep up with the changing legal landscape and obviously has to provide a working product, businesses gain the benefit of a cookie consent tool that works over the long term.

But cookie consent is merely the most-visible compliance need for many companies. While not all vendors can be said to offer a scalable compliance product, many offer cookie consent as one tool in a larger platform. As your business grows and begins to receive more DSARs, acquire customers from other jurisdictions with different regulations, and need more technical support in staying compliant, the right third-party compliance vendor can provide a solution that scales.

Cons

Upfront cost

It can be tough to justify purchasing a compliance solution like a cookie consent tool. After all, it doesn’t really add to your bottom line — not directly at least. But having a cookie consent banner in place is part of what it takes to have a modern business website today. If you have customers in a jurisdiction covered by cookie consent laws or have ambitions of expanding into that market, then you need to be asking for consent prior to collecting customer data. The alternative is to risk fines of up to $7,500 per violation in the US. In the EU, fines can reach 4% of your annual revenue or €20 million ($22.8 million) — whichever is higher.

This isn’t meant to be taken as fear-mongering — rather, the idea is to demonstrate the value that a cookie consent tool brings. Buying one upfront can be expensive, but it almost always costs less than the development time it takes to build one yourself and certainly less than a fine.

Perhaps most significantly, buying a cookie consent tool means buying peace of mind. The nagging fear of an unexpected audit or legal notice won’t be something that takes up your attention.

Lack of control

Buying a cookie consent tool means giving up a degree of control over how the solution operates and appears. The degree to which this matters really depends on the vendor and your own business in question.

With the wrong solution, you might be stuck with a poorly developed product that impacts your website's load speed and is difficult to implement — but that’s a risk that comes with buying any kind of software product for your website.

You might have preferences regarding the look and feel of the cookie consent banner as well. Some products allow you to customize the banner design and even tweak its language or functionality, but again, this means flirting with noncompliance.

However, a compliance solution really shouldn’t be ultra-customizable. One of the biggest reasons to buy a compliance solution is because you aren’t an expert, and you need an automated way of implementing expert guidance on your website. Branding is all well and good, but a compliance solution should have guardrails that prevent too much tinkering, thereby preventing noncompliance.

Build versus buy: Who wins?

Under most circumstances, buying a cookie consent tool is the clear winner compared to building your own.

If you’re an individual working as a hobbyist or solo-entrepreneur and you don’t have access to the funds to buy a cookie consent tool, then building your own may be an option. Even then, it’s just a stop-gap solution that exposes you to undue legal risk. As you grow larger, it becomes more important to:

• Reduce your risk
• Become compliant in new jurisdictions rapidly
• Use your team members’ time on revenue generation and strategy
• Outsource your non-core competencies to experts

Naturally, once you decide that you fall on the “buy” side of the build vs. buy argument, everything depends on what you decide to buy. The pros and cons described in this article will be more or less significant depending on the solution you choose. The evaluation process is important — why not kick it off with a demo of the Osano consent management platform?