a crossroads sign with two directions in front of a cliff

CMP Build or buy - Tale as old as time(tracking)

Reading time: 5 minutes

Read now

Since the entry into force of the GDPR, consent management and the handling of personal data has been a hot topic for website operators. Since the entry into force of the GDPR, consent management and the handling of personal data has been a hot topic for website operators. Almost every website collects data as soon as a person lands on it, but there are only a few model students in the correct handling of consent management. But what does that mean exactly?

For example, data may only be collected after the user has given his or her consent, and never before. All scripts are therefore inactive until this point.

When informing users about the purpose of data collection, all purposes must be listed clearly, understandably and transparently. Confusing legal texts that are not meaningful for laypersons have no place here.

The choices then given to readers must be identical in form and design, so no text or button may be highlighted, made larger, or hidden. These practices are often referred to as "dark patterns" and are outlined in detail in one of our blog posts.

However, these issues are subtleties when it comes to implementing a Consent Management Platform (CMP). Issues dealing with compatibility of previously deployed systems and basic functionality need to be considered at the beginning of the design.

Why are IoT devices to be treated differently now and why do I need a CMP there?

You can brush up on the basics of Consent Management in just a few minutes in our blog posts. There we explain the difference between Consent Management on websites and Consent Management for IoT devices.

Briefly explained: a solution is needed to obtain consent for, for example, the smart light bulb, which itself does not provide a screen or other interaction capabilities. Consequently, this step needs to be built into the associated control app to obtain consent for data storage and processing. With this solution, all the principles for proper consent management must again be adhered to: i.e., identical design, clear information, and education about revocation options.

The more you look into this topic, the more facets there are to discover. The legal background must also be considered and properly implemented, which requires a conglomerate of different skills if you want to develop a solution yourself. A few suggestions on how the questions on this topic can look like can be found here, although this list is not to be understood as taxative:

Your checklist: What questions do I need to ask myself before I start tinkering or searching?


  • Which data should be collected?

  • What solutions are prevalent in the environment?

  • Where do the providers of the available solutions come from and to which countries will my data be sent?

  • In which countries are the company's servers located?

Points of comparison

  • How much support should the solution provider provide and in what quality?

  • In which areas do I need support?

  • How quickly does the provider adapt to new developments?

  • How individually can the solution be tailored to my company?

  • Does the provider already take design issues such as "dark patterns" into account?

Internal questions

  • Who has access to the data?

  • How many people are involved in maintaining and analyzing the data?

  • For what purposes is data collected?

  • Will the data collected be shared externally?

  • What data is already being collected?

  • Is data collected that is not relevant to the company?

Weigh costs and resources: Who can be seconded and how much budget may be spent?

Other questions that are crucial to the decision between building and buying have to do with the associated personnel costs. Integrating new software means not only having to reckon with acquisition costs, but also with costs for the maintenance and ongoing support of the solution. In advance, a company must also be aware that most resources will be spent in trial & error situations. Depending on the scope and intended application of the solution to be built, the costs and time required can only be roughly estimated and in very few cases they run in a linear fashion.

Where can APOCRAT help and where not?

In short: with networked devices. As soon as you run a service on a networked device, such as a smart light bulb, a vacuum cleaner robot or an internet-connected speaker, we are able to make your product data privacy compliant. With our three components, the Software Development Kit, the Web Platform and the Consent Screens, we ensure freedom of choice and uncomplicated management of user data. With the Software Development Kits, we are integrated into your IoT device and the associated app, so that communication works smoothly and your users' settings can be applied immediately. The functionality of our solution is described in detail in this blog post.

As experts in the field of smart home and data protection, we are at your disposal with a 360-degree view. In order to better understand the legal situation, we work with specialized law firms and are part of various committees, such as the BVDW, in the field of data protection. This means that we are constantly confronted with the latest trends and developments and are also in a position to help shape them.

Have we aroused your interest? Schedule your personal consultation appointment directly and convince yourself of our expertise!

Partner & Sales Manager: Alexander Jürgens
E-Mail: office@apocrat.at
Mobile: +43 676 4025255