Build vs Buy Cookie Consent: What a DIY Banner Really Costs

A cookie consent banner looks like a weekend project. Here's what a DIY build actually costs over five years — and the cases where building your own makes sense.

Written by
Daniel
Published on
Build vs Buy Cookie Consent: What a DIY Banner Really Costs

"It's just a banner. We can build it ourselves in a weekend."

Every engineering lead has heard some version of this, and lately it lands harder than ever: a developer can scaffold a consent banner before lunch — two buttons, a cookie to remember the choice, a bit of CSS. The demo looks great, the pull request is small, and someone in the room does the math on the CMP subscription you'd be skipping.

The math is usually wrong, but not because the banner is hard to build. It's wrong because the banner is maybe 10% of the system. The other 90% — consent logging, geo rules, script blocking, Google Consent Mode, regulatory churn — is invisible in the demo and lands on your team forever.

This is an honest engineering-economics breakdown: what "done" actually means, what it costs, and — because it's not always the wrong call — when building genuinely makes sense.

For most companies, buying is cheaper: a properly built DIY consent system runs roughly 300–400 engineering hours over five years (around $30,000–$40,000 at blended rates) plus permanent legal-monitoring overhead, while a CMP costs a fraction of that. Building only makes sense if your tracking footprint is tiny, you operate in one jurisdiction, or consent infrastructure is genuinely your product.

The catch is the word "properly." A banner that shows two buttons but doesn't block scripts before consent, doesn't log proof, and doesn't adapt to jurisdiction isn't a cheap version of compliance — it's documented non-compliance with a UI on top. So the real comparison isn't "weekend project vs. subscription." It's "full consent system vs. subscription."

What building your own banner actually involves

Here's the spec a regulator — not your product manager — has written for you.

Reject must be as easy as accept

In December 2021, France's CNIL fined Google €150 million and Facebook €60 million because accepting cookies took one click while rejecting took several. Equal-prominence reject is now table stakes across EU regulators, and the EDPB's cookie banner taskforce has flagged deceptive layouts, pre-ticked boxes, and link-buried refusals. Your button layout is a legal question, not a design preference.

A banner that says "we respect your choice" while GA4 and your retargeting pixel fire on page load is worse than no banner. Enforcement here is active, not theoretical: in September 2025 the CNIL fined SHEIN €150 million for placing advertising cookies before consent — and for continuing to set cookies after users clicked "Reject all." Real blocking means gating every tag, SDK, and inline script behind consent state, and keeping that gating intact every time marketing adds a tool.

Collecting consent isn't enough; you must be able to prove it. In June 2023 the CNIL fined adtech firm Criteo €40 million, in part for being unable to demonstrate that valid consent existed for the data it processed. A defensible log captures the timestamp, the banner version and options shown, the user's selection, and the jurisdiction — without itself becoming a PII liability. That's a tamper-resistant, queryable datastore with retention policies. You build it, host it, and answer audits from it.

Geo rules and reject-all parity by region

The EU and UK require prior opt-in. Most US states run opt-out, but with their own furniture: "Do Not Sell or Share" links, and honoring Global Privacy Control browser signals — required in California (Sephora paid $1.2 million partly for ignoring GPC), Colorado, Texas, and a growing list of states. Twenty US states now have comprehensive privacy laws on the books. Other countries each add their own variant — see where opt-in consent is actually required. A DIY build needs IP-to-jurisdiction detection, per-region consent models and default behavior, and a matrix that expands every legislative session.

Since March 2024, advertisers using Google tags for EEA traffic must send consent signals — including the v2 parameters ad_user_data and ad_personalization — or lose ad personalization, remarketing, and conversion modeling. And if you monetize with AdSense, Ad Manager, or AdMob, you can't DIY this part at all: since 16 January 2024, Google requires a Google-certified CMP integrated with the IAB's Transparency and Consent Framework (TCF) to serve personalized ads in the EEA and UK. A homemade banner is, by definition, not on that list.

Everything else in the spec

  • Cookie and vendor scanning. Marketing adds tools constantly; each one ships cookies that must be detected, categorized, and disclosed. Manually, that's a recurring audit nobody enjoys — see how automatic cookie scanning works.
  • Multi-language banners. Consent must be informed, which regulators read as "in a language your users understand."
  • Accessibility. Keyboard navigation, focus management, screen-reader labels, and contrast — a modal that traps users or can't be operated without a mouse is both a UX failure and a legal exposure.
  • Preference re-surfacing. Users must be able to withdraw consent as easily as they gave it, which means a persistent settings entry point and re-prompt logic.
  • Ongoing legal maintenance. The spec changes without asking you. The CNIL fined Google another €325 million in September 2025 over cookie consent design and Gmail ads. Someone on your team now reads EDPB guidance for a living.

What it costs: realistic numbers

Take the simplest honest case: one generic banner for your main market — no multi-region logic, no TCF, one language — but built properly, with real script blocking, stored consent records, and someone keeping it current. Assume a blended, fully loaded engineering cost of $100/hour (swap in your own) over five years.

Task (single-market banner) Est. hours / 5 yrs Cost @ $100/hr
Initial build: UI, accept/reject, preference center, consent storage, script gating 80 $8,000
Consent logging + retrievable audit records 40 $4,000
Cookie discovery and re-categorization (~3 hrs/quarter) 60 $6,000
Script-blocking upkeep as tags come and go (~2 hrs/quarter) 40 $4,000
Google Consent Mode v2 wiring + keeping it working 30 $3,000
Regulatory monitoring and updates (EDPB, CNIL, new US states) 50 $5,000
Bug fixes, browser changes, cross-device QA, accessibility 40 $4,000
Total ~340 hrs ~$34,000

Argue with any individual row — the point survives. Even the stripped-down case runs to tens of thousands of dollars, against a CMP subscription that typically costs a few hundred to a few thousand dollars over the same period. Add a second region, a few languages, GPC handling, or TCF, and the build column climbs fast while the buy column stays flat.

Two costs aren't even in the table: the opportunity cost of ~340 engineering hours not spent on your product, and the bus factor — a niche compliance system that one engineer understands is a liability the day they leave.

When building genuinely makes sense

This wouldn't be an honest analysis if the answer were always "buy."

You barely track anything. If your site sets only strictly necessary cookies and a self-hosted, cookieless analytics tool, you may need only a minimal notice — or no banner at all. Don't buy a CMP to manage zero vendors.

You operate in exactly one opt-out jurisdiction. A US-only product with no EU/UK traffic, a short tag list, and a competent privacy counsel can run a simple opt-out link plus GPC handling without much ongoing churn. The economics tighten the moment you add EEA users or paid acquisition.

Consent is your product, or compliance is your moat. If you're an adtech or privacy company, this is core infrastructure. Build it.

You're gluing, not building. Open-source consent libraries are a reasonable middle path for developers who want control without writing storage and blocking logic from scratch — though regulatory updates remain your job. We compare the options in the best cookie consent tools for developers.

What doesn't hold up: "AI made it cheap to build." Coding assistants collapse the cost of the first version, but initial development was never where the cost lived — decades of software-economics research (Boehm's Software Engineering Economics onward) put the majority of lifecycle cost in maintenance. Cookie consent has an unusually brutal maintenance profile because the requirements are set by regulators on a schedule you don't control. Faster scaffolding just makes it easier to confidently start building the wrong thing.

The total-cost comparison

Build Buy
Upfront cost ~80–150 hrs engineering Hours, not weeks, to deploy
Regulatory updates Your legal + eng teams, indefinitely Vendor ships to all customers
Cookie/vendor scanning Manual, recurring Automatic
Consent records Build and host your own store Included, audit-ready
Consent Mode v2 / TCF Maintain against Google's changes Maintained for you; certified CMPs available
GPC + geo logic Build the matrix yourself Configuration
Who's accountable when it breaks You A vendor whose whole business is this
5-year cost (single market) ~$34,000 in eng time Typically a low four figures

Supportive: buying frees your best engineers for the work only they can do. Cynical: nobody ever chose your product because of your consent logging schema — and they never will.

What to actually do

  1. Inventory your tracking. Run a scan of your site's cookies, scripts, and pixels. If the list is near zero, you may not need much at all.
  2. Map your jurisdictions. Where are your users? EEA/UK traffic means opt-in, reject-all parity, and Consent Mode v2. US traffic means opt-out links and GPC.
  3. Price the build honestly. Use the table above with your own rates — include logging, blocking, geo, and the quarterly maintenance rows, not just the UI.
  4. Check the monetization constraint. If you serve Google ads in the EEA/UK, a certified TCF CMP is mandatory — DIY isn't an option for that piece.
  5. If you buy, evaluate properly. Here's how to choose a cookie management platform without getting lost in feature matrices.
  6. Whatever you choose, verify behavior. Open devtools in a clean profile and confirm nothing non-essential fires before consent. That single check catches the failure mode behind most cookie fines.

Where CookieChimp fits

CookieChimp exists so you never have to staff the build column. It's a simple yet powerful consent management platform: automatic cookie scanning keeps your inventory current as marketing adds tools, geo-targeted banners apply the right consent model and language per region, consent logging gives you audit-ready records, and Google Consent Mode v2 and GPC support are built in rather than bolted on. You deploy in minutes, and it stays compliant without your team touching it.

FAQ

Isn't a cookie banner just two buttons and a cookie?

The banner is; compliance isn't. Valid consent requires category-level choices, genuine script blocking before consent, equal-prominence reject, auditable logs, geo-aware behavior, and ongoing updates as rules change. The UI is the smallest part of the system — and the only part a weekend build delivers.

How much does it cost to build a cookie consent system in-house?

A realistic single-market build runs about 300–400 engineering hours over five years — roughly $30,000–$40,000 at a $100/hour blended rate — covering the initial build plus logging, scanning, script-blocking upkeep, Consent Mode maintenance, and regulatory updates. Multi-region or multi-language setups cost substantially more.

Can my custom banner send Google Consent Mode v2 signals?

Yes — advertisers can implement Consent Mode themselves by sending the ad_storage, analytics_storage, ad_user_data, and ad_personalization signals from their own banner. But if you monetize with AdSense, Ad Manager, or AdMob in the EEA or UK, Google requires a Google-certified CMP integrated with the IAB TCF for personalized ads, which a homemade banner can't satisfy.

Do I have to honor Global Privacy Control with a DIY banner?

In a growing list of US states, yes. California treats GPC as a valid opt-out (Sephora's $1.2 million settlement turned partly on ignoring it), Colorado mandates universal opt-out mechanisms, and Texas and roughly a dozen other states have followed. If you build your own, GPC detection and handling is part of the spec.

What happens if my banner doesn't block scripts before consent?

In opt-in jurisdictions, that's the violation regulators fine most often — the CNIL's €150 million SHEIN fine in 2025 was for exactly this, including cookies set after users clicked "Reject all." A banner that displays choices but doesn't enforce them creates evidence of non-compliance rather than protection.

When does building your own consent solution make sense?

When your tracking footprint is minimal, you operate in a single opt-out jurisdiction with privacy expertise in-house, or consent infrastructure is itself your product. For everyone else it's commodity plumbing with regulator-imposed maintenance — a textbook buy.

References

  1. DLA Piper Privacy Matters, "FRANCE: Cookies – new record sanctions – CNIL fines Facebook Ireland 60 million euros and Google 150 million euros": privacymatters.dlapiper.com
  2. European Data Protection Board, "Personalised advertising: French SA fined CRITEO EUR 40,000,000": edpb.europa.eu
  3. European Data Protection Board, "French SA: Cookies placed without consent: SHEIN fined 150 000 000 EUR by the CNIL": edpb.europa.eu
  4. European Data Protection Board, "French SA: Cookies and advertisements inserted between emails: GOOGLE fined 325 000 000 EUR by the CNIL": edpb.europa.eu
  5. Google Ads Help, "Updates to consent mode for traffic in the European Economic Area (EEA)": support.google.com
  6. Google AdSense Help, "Google consent management requirements for serving ads in the EEA, the UK, and Switzerland (for publishers)": support.google.com
  7. California Attorney General, "Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act": oag.ca.gov
  8. MultiState, "20 State Privacy Laws in Effect in 2026: Key Dates & Changes": multistate.us
  9. European Data Protection Board, "Report of the work undertaken by the Cookie Banner Taskforce": edpb.europa.eu
  10. Global Privacy Control, "Take Control Of Your Privacy": globalprivacycontrol.org

Ready to skip the build column entirely? Get started with CookieChimp and deploy a compliant, geo-aware consent banner in minutes.

The content of this article is provided for information purposes only and does not constitute legal or other advice.