Cookie Consent & Privacy

If you have any third-party scripts (analytics, ads, embeds) and any EU traffic, you need a consent banner that actually gates those scripts.

Open-source / self-host

• ★ c15t — TypeScript-first consent management, framework-agnostic, modern API. The most-recommended open-source option for new TS projects in 2026.
• ★ Klaro — established, free, GDPR-friendly, supports script gating out of the box.
• CookieConsent (vanilla-cookieconsent) — lightweight, vanilla JS, MIT.
• react-cookie-consent — minimal React banner; you bring the gating logic.
• Civic UK Cookie Control — free for low-traffic sites.

SaaS (free tiers)

• Cookiebot — free for very small sites; paid above.
• Iubenda — free tier; also generates privacy policies.
• Termly — small free tier.
• OneTrust — enterprise standard; not free.

Privacy policy / ToS generators

• Termly, Iubenda, GetTerms.io, PrivacyPolicies.com — generators with free tiers.
• DocuSign / PandaDoc — for signing, not generating.

Analytics that don't require consent

• Plausible, Umami, Cloudflare Web Analytics, Vercel Web Analytics, Pirsch, GoatCounter — all advertise no-cookies, no-consent-banner-needed (verify against your jurisdiction).

DSAR / data export tooling

• Datafold, Datatask, Mine — GDPR DSAR (Data Subject Access Request) automation.
• Most apps roll their own "export my data" page.

What to gate

• ★ Always gate before consent: Google Analytics, Meta Pixel, TikTok Pixel, ad networks, Hotjar, FullStory, Intercom (if using cookies), most CRM trackers.
• Usually safe without consent: privacy-friendly analytics (Plausible, Umami, etc.), strictly necessary cookies (auth session), anti-fraud.
• Verify with a lawyer for your jurisdiction — this is informational, not legal advice.

Pick this if…

• TS-first new project, don't want to think about it: c15t.
• Static site, vanilla JS: Klaro or vanilla-cookieconsent.
• You'll skip the banner entirely: switch to privacy-friendly analytics (Plausible/Umami/Cloudflare) and remove third-party tracking.