Complio vs GDPR Consultancy Audit: Comparison

89 euros in 10 minutes, or 5,000 euros in 6 weeks. These are the two realities of the GDPR audit market in 2026. On one side, specialist consultancy firms. On the other, Complio, the automated GDPR website audit tool developed by DPLIANCE. This comparison details what each approach covers, what it does not, and when to choose one or the other.

Consultancies dominate search results

When a company searches for “GDPR website audit” on Google, they find consultancy firms: Boscop, RGPD Consulting, Grant Thornton, Digitemis. Some display their prices: Qweri.fr announces “from 5,000 euros excl. VAT” for a compliance audit. Others do not communicate pricing and propose a quote after an initial meeting.

This positioning creates a barrier to entry. A 15-person SME that simply wants to know if its website is GDPR-compliant faces proposals ranging from 3,000 to 15,000 euros, with delivery timelines of several weeks (source: leto.legal). The result: many companies postpone the audit or never do it at all.

The CNIL (French DPA), however, does not wait

While companies hesitate, the CNIL (French DPA) is intensifying its controls. In 2025, 83 sanctions were issued for a total of 486.8 million euros. The simplified procedure, used for 67 of these 83 sanctions, allows fines up to 20,000 euros without lengthy proceedings (source: CNIL (French DPA), 2025 review). Over 60% of sanctions concerned SMEs. The CNIL (French DPA) uses robots to automatically scan websites and detect the most common violations, particularly regarding cookies.

The paradox is clear: the companies most in need of an audit are those without the budget for a consultancy.

Comparison table: Complio vs consultancy audit

Criterion	Complio	Consultancy firm
Price	89 euros excl. VAT (106.80 euros incl. VAT)	3,000 to 15,000 euros excl. VAT
Timeline	Approximately 10 minutes	3 to 6 weeks
Website scope	Cookies, CMP, third-party scripts, forms, legal pages, security headers, non-EU transfers	Covered, but manually
Organisational scope	Not covered	Records of processing, processor contracts, internal procedures, DPIAs
Technology	Playwright crawl + Mistral AI + Pixtral vision	Human expertise
Report	Automatic structured PDF with 0-100 score	Report written by a consultant
Recommendations	Generated by Mistral AI, site-specific	Written by consultant, contextualised
Repeatability	Reproducible audit with every site change	New quote for each audit
Account required	No, one-off payment via Mollie	Service contract
Crawl depth	Up to 15 pages, depth 2	Full site if needed

What Complio does in detail

Complio is an automated GDPR audit tool powered by Mistral artificial intelligence. Here is how it works concretely.

Real site crawl

Complio uses Playwright in headless mode to navigate your site exactly as a real user would with a browser. It crawls up to 15 pages at depth 2 from the homepage. This is not a simple HTTP request: JavaScript is executed, cookies are recorded, third-party scripts are loaded.

This is the crucial point the CNIL (French DPA) checks first. Complio records cookies deposited before any interaction with the consent banner, then after acceptance. This double measurement detects sites that display a banner but deposit trackers before consent, which constitutes a direct violation of the CNIL (French DPA) guidelines (source: CNIL (French DPA)).

Visual CMP analysis by Pixtral

The Pixtral (Mistral) multimodal LLM visually analyses the consent banner to check its compliance: presence of a “Reject” button as visible as “Accept”, clarity of information presented, accessibility of settings options. This is a unique approach that reproduces what a CNIL (French DPA) inspector would see when visiting your site.

Third-party script inventory

Each third-party script loaded on crawled pages is identified: analytics, advertising, social media, CDN, fonts, widgets. For each script, Complio notes the source domain and flags potential data transfers to servers located outside the European Union.

Form analysis

Each detected form is analysed: what personal data fields are collected (name, email, phone, address), and whether an Article 13 GDPR-compliant information notice is present near the form (source: CNIL (French DPA)).

Legal page verification

Complio checks for the presence of mandatory pages: legal notices, privacy policy, cookie policy. It detects these pages via the usual links in footers and in the cookie banner.

Security headers

The report includes HTTP security header analysis: HTTPS, HSTS, X-Frame-Options, Content-Security-Policy, and cookie security attributes (HttpOnly, Secure, SameSite), in accordance with the CNIL (French DPA) recommendations on website security (source: CNIL (French DPA)).

Detected cookies are automatically classified using the Open Cookie Database: cookie name, publisher, purpose (essential, analytics, marketing, functional), retention period. Unknown cookies are flagged for investigation.

Score and PDF report

Everything is synthesised in a structured PDF report: executive summary, detail per analysed page, compliance score out of 100 (compliant items / applicable items ratio), and recommendations generated by Mistral AI. This report is an actionable deliverable you can share with your technical team or DPO.

What a consultancy does in detail

A GDPR consultancy firm (outsourced DPO, specialist lawyer, cybersecurity consultancy) offers an audit whose scope is much broader than just the website.

Organisational audit

The core of a consultancy’s service is the organisational audit:

Records of processing: mapping of all personal data processing operations across the company (HR, clients, suppliers, marketing, accounting)
Data Protection Impact Assessment (DPIA): risk assessment for high-risk processing
Processor contracts: verification of GDPR clauses with service providers (host, CRM, email tool, accountant)
Internal procedures: rights management (access, rectification, deletion), data breach notification, retention policy
Training: team awareness of best practices

Technical website audit

The technical website component is covered, but represents a fraction of the overall scope. A consultant manually navigates the site, checks cookies with browser developer tools, reads legal pages, tests forms. This work is methodical but slow: expect half a day to a full day for a medium-sized site.

Report and recommendations

A consultancy’s report is a document written by a human expert, contextualised relative to the company’s activity, sector, size and constraints. Recommendations take organisational feasibility into account and prioritise actions by priority and risk.

Cost and timeline

A GDPR audit by a consultancy costs between 3,000 and 7,000 euros for an SME, and up to 15,000 euros for a mid-cap company (source: leto.legal). The average daily rate of an outsourced DPO is 600 euros. The engagement duration is 3 to 6 effective working days, but the total calendar timeline (with exchanges, validations, report writing) extends to 3 to 6 weeks.

When to choose Complio

Complio is the right solution in the following cases:

You want a quick diagnosis of your site

You are launching a new site, you have changed your CMP, you have added a form or a third-party script: you need to know immediately if your site is compliant. Complio delivers a report in 10 minutes.

You have a limited budget

89 euros excl. VAT. That is the price of a business lunch, not an investment to budget for. For a micro-business or SME, it is a negligible cost compared to the risk of a 20,000 euro CNIL (French DPA) fine via the simplified procedure.

You want to audit regularly

A website evolves. Each update, each new feature can introduce a new non-compliance point. With Complio, you can audit your site monthly or quarterly without blowing your budget. Four audits per year cost 356 euros excl. VAT, less than 10% of the price of a single consultancy audit.

You want a deliverable for your DPO

Complio’s PDF report is structured, factual and actionable. Your internal or outsourced DPO can use it as a basis for prioritising corrective actions on the website.

You want proof of your compliance efforts

The GDPR accountability principle (Article 24) requires the ability to demonstrate the measures taken. A dated and documented audit report is supporting evidence of your compliance efforts.

When to choose a consultancy

A consultancy remains essential in the following cases:

If your company has no records of processing, no rights management procedure, no DPO: the website is only part of the problem. A consultancy supports you across the full scope of organisational compliance.

You process sensitive data

Health data, biometric data, criminal offence data: these special categories require a Data Protection Impact Assessment (DPIA) and expert support that only a professional can provide.

You need an authoritative audit

In the context of a tender, certification or due diligence, a report signed by a recognised firm carries weight that automation cannot replace.

You have complex processing operations

Profiling, automated decision-making, massive international transfers, cascading sub-processing: these situations require fine legal analysis beyond the scope of a technical scan.

The combined approach: the most effective

The real answer is not “Complio or a consultancy”. It is “Complio and a consultancy, each in its place”.

Complio secures the technical component of your website, immediately, for 89 euros. It identifies visible issues that the CNIL (French DPA) can detect with its own robots. It gives you a score, a report and actionable recommendations in 10 minutes.

A consultancy structures your overall organisational compliance: records, procedures, contracts, training. It is a heavier investment but necessary for complete compliance.

One does not replace the other. But one costs 89 euros and takes 10 minutes. And that is the one to do first, because your website is the attack surface the CNIL (French DPA) can check at any time, without warning, with its robots.

Can Complio replace a DPO?

No. Complio audits the visible technical component of your website. A DPO (internal or outsourced) covers the full GDPR compliance of the organisation: processing operations, procedures, training, incident management. These are two complementary scopes.

Is the Complio report admissible in a CNIL (French DPA) inspection?

The Complio report is a factual document listing verified elements, detected compliances and non-compliances, with a score and recommendations. It constitutes evidence of your compliance efforts under the accountability principle (Article 24 GDPR). It does not replace a formal audit report by a consultancy, but it documents your vigilance.

Why does Complio only crawl 15 pages?

Complio’s goal is to audit the representative pages of your site: homepage, service pages, contact forms, legal pages. 15 pages at depth 2 cover the typical structure of a brochure or corporate site. For an e-commerce site with thousands of product pages, GDPR compliance issues are found on template pages (cart, account, checkout), not on each product listing.

Does a consultancy check the same things as Complio on the website?

Yes, but manually. A consultant opens developer tools, navigates page by page, checks cookies, reads legal pages. Complio automates this verification with a headless browser and AI, comprehensively and reproducibly, at a fraction of the time and cost.

Can I use the Complio report to brief a consultancy?

Absolutely. Complio’s PDF report gives a precise technical snapshot of your site’s compliance status. A consultancy can use it as a starting point to focus its engagement on the critical issues identified, thereby reducing time and cost.

Take action

Your website is live. The CNIL (French DPA) can scan it tomorrow. A consultancy audit takes 6 weeks and costs 5,000 euros. Complio takes 10 minutes and costs 89 euros.

Better to know before the CNIL (French DPA) does.

Launch a Complio audit now