Two Hosting Models, Very Different Responsibilities
Every consent management platform runs somewhere. That somewhere determines who controls the consent data, how fast the banner loads, and how much engineering time you spend keeping it running. The two dominant models are cloud-hosted (SaaS) and self-hosted (on-premises or your own infrastructure), and the gap between them is wider than most website owners realise.
Cloud CMPs handle infrastructure, updates, and uptime on your behalf. Self-hosted CMPs hand you full ownership of the stack, from the database storing consent records to the JavaScript served to visitors.
Neither option is universally better. The right choice depends on your regulatory exposure, technical team, and how much control you actually need over consent data.
What Cloud-Hosted CMPs Offer
A cloud CMP runs on the vendor's infrastructure. You add a script tag to your site, configure your banner in a dashboard, and the vendor handles everything behind the scenes: serving the banner JavaScript from a CDN, storing consent records, processing geo-detection, and pushing updates when regulations change.
The advantages are practical. There is no server to provision, no database to back up, no security patches to apply. Compliance updates - such as adapting to IAB TCF v2.3, which became mandatory in February 2026 - arrive automatically without requiring a code deployment on your side.
Most cloud CMPs also offer global CDN distribution. The banner script loads from the nearest edge node, which reduces latency for visitors regardless of geography.
The trade-off is dependency. Your consent data sits on someone else's servers. If the vendor experiences downtime, your banner may fail to load. And if the vendor's infrastructure is outside the EEA, you may inherit cross-border data transfer obligations under GDPR Chapter V.
What Self-Hosted CMPs Offer
A self-hosted CMP runs entirely on infrastructure you control. The consent banner code, the configuration files, the consent log database - all of it lives on your own servers or private cloud environment.
Data residency is the primary draw. With a self-hosted setup, consent records never leave your infrastructure. If your servers are in the EU, there is no cross-border transfer to assess. Remote access by support staff in third countries - which the EDPB considers a data transfer - is eliminated entirely when the entire stack is managed in-house.
Full control also means full customisation. You can modify the banner code, integrate directly with your backend systems, and tailor the consent logic to match unusual requirements without waiting for a vendor's feature request queue.
Performance: Script Weight and Loading Speed
Cookie banners affect Core Web Vitals. Research by DebugBear found that some popular CMPs load over 200 KB of JavaScript, and poorly configured banners can push Largest Contentful Paint from 1.4 seconds to over 3.6 seconds. Cumulative Layout Shift also suffers when banners insert content that pushes page elements downward.
Cloud CMPs vary widely in script size. Lightweight cloud solutions serve under 30 KB gzipped, while heavier enterprise platforms can exceed 200 KB. The CDN advantage offsets some of this weight through caching and edge delivery.
Self-hosted CMPs give you direct control over what gets loaded. You can strip unused features, defer non-critical components, and serve the script from the same domain as your site - avoiding the additional DNS lookup and TLS handshake that external scripts require. Serving from a first-party domain also sidesteps ad-blocker interference, since many blockers target known third-party CMP domains.
The catch: optimisation is your responsibility. A self-hosted CMP that nobody maintains can easily become slower than a well-tuned cloud alternative.
Performance Comparison at a Glance
| Factor | Cloud CMP | Self-Hosted CMP |
|---|---|---|
| Typical script size | 30-200+ KB | Depends on build |
| CDN delivery | Included (global edge nodes) | You must configure your own CDN |
| DNS lookup overhead | Extra lookup for vendor domain | None (same origin) |
| Ad-blocker risk | Higher (known vendor domains) | Lower (first-party domain) |
| Caching control | Vendor-managed | Full control over cache headers |
| Ongoing optimisation | Vendor handles | Your engineering team handles |
Data Residency and GDPR Transfer Rules
Consent records contain personal data: at minimum, a user identifier, the timestamp, and the choices made. Under GDPR, processing this data outside the EEA requires a valid transfer mechanism such as Standard Contractual Clauses or an adequacy decision.
Cloud CMPs typically process data in the region where their infrastructure sits. Many EU-focused vendors now offer EEA-only hosting, but not all do. If your cloud CMP routes consent data through US-based servers, you need to verify that appropriate safeguards are in place under GDPR Articles 44 to 49.
Self-hosted CMPs eliminate the transfer question entirely - provided your infrastructure stays within the EEA. This is a significant compliance simplification for organisations subject to strict data sovereignty requirements, such as public sector bodies or financial institutions.
Keep in mind that even a self-hosted setup can trigger transfer rules if your hosting provider's support team accesses servers from outside the EEA.
Maintenance, Updates, and the Hidden Cost of Control
Self-hosted CMPs require ongoing engineering effort. Regulatory changes, browser updates, and security patches all fall on your team. When the ePrivacy Directive gets superseded by a regulation - still pending since 2017 - a cloud CMP will update automatically. A self-hosted CMP will need manual code changes.
Consider the maintenance surface:
- Banner JavaScript and UI components
- Consent storage database (backups, retention policies)
- Geo-detection logic for jurisdiction-specific banners
- Google Consent Mode v2 integration
- TCF string generation and vendor list updates
- Security patching for the web server and dependencies
For a team with dedicated privacy engineers, this is manageable. For a small marketing team running a WordPress site, it is a serious commitment. A cloud solution removes that burden at the cost of less granular control.
Compliance Feature Parity
Cloud CMPs compete on compliance features. Geo-detection, automatic regulation matching, scheduled cookie scanning, consent log storage with audit trails, and multi-language support are standard in most commercial cloud platforms.
Self-hosted CMPs rarely match this feature set out of the box. Building geo-detection that correctly identifies whether a visitor falls under GDPR, CCPA, LGPD, or POPIA - and serves the right banner variant - is a non-trivial engineering project. Maintaining a cookie classification database that stays current is equally demanding.
Feature Availability by Hosting Model
| Feature | Cloud CMP | Self-Hosted CMP |
|---|---|---|
| Geo-detection | Built-in | Must build or integrate |
| Automatic cookie scanning | Built-in | Must build or integrate |
| TCF v2.3 string generation | Vendor-maintained | Must implement and update |
| Consent log with audit trail | Built-in | Must design database schema |
| Multi-language banners | Usually included | Must implement translations |
| Google Consent Mode | Pre-integrated | Must implement API calls |
| Regulatory updates | Automatic | Manual code changes |
When Self-Hosted Makes Sense
Self-hosting is worth the effort in specific scenarios. Large enterprises with dedicated privacy engineering teams, organisations in regulated sectors like financial services or healthcare, and public sector bodies with strict data residency mandates all have legitimate reasons to keep consent infrastructure in-house.
If your organisation already runs its own CDN, has a DevOps team capable of managing additional services, and faces regulatory pressure to avoid any third-party data processing, self-hosting removes a dependency and a data transfer risk.
The cost is real, though. Budget for at least one engineer spending partial time on CMP maintenance, plus the infrastructure costs for hosting, CDN, and database services.
When Cloud CMP Is the Practical Choice
For the majority of websites - small businesses, agencies, publishers, and mid-market companies - a cloud CMP delivers better compliance outcomes with less effort. The vendor absorbs the complexity of regulatory tracking, browser compatibility, and infrastructure management.
Cloud CMPs also scale without intervention. Whether your site receives 1,000 or 10 million monthly visitors, the vendor's CDN handles the load. With a self-hosted solution, traffic spikes can overwhelm your infrastructure if capacity planning falls short.
The key is choosing a cloud vendor that offers EEA data residency and transparent data processing agreements. That combination gives you the convenience of SaaS without the data transfer headaches.
Frequently Asked Questions
Does a self-hosted CMP guarantee GDPR compliance?
No. Self-hosting controls where data is stored, but GDPR compliance also requires valid consent collection, proper record-keeping, and respect for user rights. Hosting model is only one part of the compliance picture.
Can a cloud CMP store consent data in the EU only?
Many cloud CMPs now offer EEA-only data residency as a configuration option. Check whether your vendor provides this and whether it covers all data flows, including support access and backups.
Is a self-hosted CMP faster than a cloud CMP?
It can be, because serving scripts from your own domain eliminates extra DNS lookups and avoids ad-blocker interference. But performance depends on your infrastructure and optimisation effort - a neglected self-hosted CMP can be slower than a well-tuned cloud alternative.
Do I need a DPA with my cloud CMP provider?
Yes. Your cloud CMP provider processes personal data on your behalf, making them a data processor under GDPR Article 28. A data processing agreement is required before you begin using the service.
How much engineering time does a self-hosted CMP require?
Expect at least partial allocation of one engineer for ongoing maintenance, including regulatory updates, security patches, browser compatibility fixes, and database management. The initial setup can take several weeks depending on feature scope.
Can I switch from self-hosted to cloud CMP later?
Yes, though migrating consent records requires careful planning. Consent logs collected under one system need to be preserved and mapped to the new platform's format to maintain your audit trail.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
