Cookilio vs Tarteaucitron: Which Cookie Manager to Choose?

Cookilio vs Tarteaucitron: Should You Choose Free or Proof?

When looking for a GDPR-compliant cookie manager, two approaches compete. On one side, open source: free, transparent, community-driven. On the other, a software editor’s solution: paid, supported, with solid legal guarantees. Cookilio and Tarteaucitron embody these two approaches.

Tarteaucitron has existed since 2013. It’s a French open source project created by Amauri Champeaux, available on GitHub with nearly a thousand stars and an active community. It powers thousands of sites, particularly in the public sector.

Cookilio, published by DPLIANCE, is a sovereign CMP with server-side consent proof, an ultra-lightweight widget, and setup support. Two French tools, two visions of consent.

In a context where CNIL (French data protection authority) imposed nearly 487 million euros in fines in 2025 — a significant portion related to tracker violations (source: CNIL 2025 report) — your CMP choice deserves thorough analysis.

Before comparing features, let’s ask the essential question: what is a CMP for?

Not just to display a banner. A CMP must:

Inform the user clearly and completely
Collect consent that is freely given, specific, and informed
Block all third-party scripts before explicit consent
Prove that consent was obtained in accordance with the law

CNIL states that “each entity relying on consent must be able to provide proof of it” (source: CNIL - Cookie FAQ). It’s on this fourth point that Tarteaucitron and Cookilio fundamentally diverge.

Tarteaucitron: The Community’s Choice

Tarteaucitron’s Strengths

Tarteaucitron is a remarkable project. It democratized cookie management in France well before CNIL tightened its guidelines. Its strengths are real:

Free and open source: the code is on GitHub, auditable by anyone
Large service catalog: 100+ preconfigured services in the open source version, up to 225 in the Pro version (source: tarteaucitron.io)
Active community: regular contributions, community-provided documentation
Lightweight: the client-side script is performant and fast to load
No third-party dependency: the code runs directly on your site
Pro version available: at EUR 190 excl. tax/year, it adds a WordPress plugin, statistics, and support (source: tarteaucitron.io/pricing)

Tarteaucitron’s Limitations

But Tarteaucitron has structural limitations that are important to understand:

No server-side consent proof: consent is stored in a cookie or localStorage in the user’s browser. If the user clears their cookies, the proof disappears. During a CNIL audit, you have no server-side record.
100% client-side: all logic runs in the browser. No backend, no database, no centralized registry.
No analytics dashboard: no visibility on consent rates, user choices, or trends over time.
Technical integration: setup requires web development skills. You need to modify your site’s source code and configure each service in JavaScript.
No commercial support (open source version): in case of problems, you depend on the GitHub community and forums.

Cookilio: Proof First

The Cookilio Approach

Cookilio starts from a conviction: privacy is a right, and consent is a commitment to uphold. This translates into specific technical choices:

Server-side consent proof: each consent is recorded in your own database with a unique correlation ID, a timestamp, and detailed choices per vendor.
Ultra-lightweight Preact widget: the client widget is built with Preact, a 3 KB framework, for minimal impact on your site’s performance.
Multi-step banner (wizard): the user is guided step by step through their choices, not confronted with a wall of text.
Granular script blocking: each vendor has specific approval and rejection scripts. No third-party script executes before explicit consent.
Self-hosted: data stays on your servers. Total sovereignty.
Full customization: 8 colors, banner position, logo, display delays.
Support and setup: DPLIANCE supports the installation (EUR 250 excl. tax, one-time fee) and provides ongoing support.

Detailed Comparison Table

Criterion	Cookilio	Tarteaucitron (open source)	Tarteaucitron Pro
Price	EUR 9 excl. tax/month + EUR 250 excl. tax setup	Free	EUR 190 excl. tax/year
Consent proof	Server-side, correlation IDs, on your servers	Client-side only (cookie/localStorage)	Client-side only
Consent storage	MariaDB database (your servers)	User’s browser	User’s browser
Banner	Multi-step wizard	Classic banner	Classic banner
Preconfigured services	No (manual configuration)	100+ services	225+ services
Script blocking	Per vendor, approval/rejection scripts	Per service, client-side blocking	Per service, client-side blocking
Analytics dashboard	Angular admin interface	No	Activation statistics
WordPress plugin	No	No (manual integration)	Yes
Multi-language	French UI, customizable text	Yes (community)	Yes
Support	Included (DPLIANCE)	GitHub community	Commercial support
Skills required	Low (supported setup)	High (JavaScript integration)	Moderate
Data sovereignty	Total (your servers)	Total (client-side)	Total (client-side)
Tech stack	Preact + NestJS + MariaDB + Angular	Vanilla JavaScript	Vanilla JavaScript
Open source	No	Yes	No

Server-Side Proof: Why It’s Decisive

This is the core issue. Let’s break it down.

The Client-Side Problem

With Tarteaucitron, consent is stored in a cookie or localStorage in the browser. Concretely, this means:

If the user clears their cookies (which privacy-conscious users regularly do), the proof disappears
If the user switches browsers, the proof doesn’t exist in the new browser
In private browsing, the proof is lost when the window closes
You have no centralized registry of collected consents
During a CNIL audit, you cannot produce formal proof

Cookilio’s Server-Side Solution

With Cookilio, each consent interaction is recorded server-side:

A unique correlation ID links each proof to a user session
The record is immutable in your MariaDB database
You have a complete history of consents via the Angular admin interface
During an audit, you can export the proof directly from your infrastructure

This difference is not theoretical. CNIL sanctioned 21 organizations in 2025 for tracker-related violations (source: CNIL 2025 report). Being able to produce solid proof is your best protection.

Integration and Setup

Tarteaucitron: For Developers

Installing Tarteaucitron’s open source version requires:

Adding the script to your site
Configuring each service in JavaScript
Modifying source code to replace third-party script tags with Tarteaucitron calls
Manual testing to verify each service is correctly blocked/unblocked

It’s doable, but it requires a developer comfortable with JavaScript and a good understanding of how trackers work.

Cookilio: Supported Setup

Cookilio’s installation is handled by DPLIANCE:

Configuring vendors in the admin interface
Integrating the Preact widget on your site (one script to add)
Configuring approval and rejection scripts for each vendor
Testing and validation

Setup fees (EUR 250 excl. tax) cover this support. You don’t need to be a developer to manage your vendors day-to-day.

The Real Cost: Free Isn’t Always Free

Tarteaucitron is free. But the real cost includes:

Developer time for initial integration (count several hours to several days depending on site complexity)
Maintenance: updates, adding new services, bug resolution
Legal risk: no server-side proof during an audit
No support: in case of a critical issue, you’re on your own

Cookilio costs EUR 9 excl. tax/month + EUR 250 excl. tax for setup. Over the first year, that’s EUR 358 excl. tax. From the second year onward, EUR 108 excl. tax. In return, you get solid consent proof, support, and guided setup.

Tarteaucitron Pro at EUR 190 excl. tax/year fills some gaps (WordPress plugin, statistics, support) but doesn’t solve the fundamental problem: the absence of server-side proof.

Who Is Each Solution For?

Choose Tarteaucitron if:

You have a developer capable of handling integration and maintenance
You have no strong constraint on consent proof
Budget is your primary criterion
You value open source and total technical independence
Your site is simple with few third-party services

Choose Cookilio if:

Server-side consent proof is a priority (CNIL audits, regulated sector)
You prefer supported setup and responsive support
Data sovereignty on your own servers is non-negotiable
You want a multi-step wizard banner, not a simple bar
You don’t have a dedicated developer for cookie management

FAQ

Tarteaucitron blocks scripts before consent and informs the user, which covers part of the obligations. However, the lack of server-side consent proof is a weakness. CNIL requires that each entity be able to prove the consent obtained. A client-side cookie, deletable by the user, may not constitute sufficient proof during an audit.

Is Cookilio open source?

No. Cookilio is software published by DPLIANCE. However, it is self-hosted: you deploy the solution on your own infrastructure, giving you total control over your consent data, unlike a SaaS hosted by a third party.

The Cookilio widget is built with Preact (approximately 3 KB), making it one of the lightest CMP widgets on the market. Tarteaucitron is also lightweight. Both solutions have minimal impact on performance and Core Web Vitals.

Can I use Tarteaucitron and add my own server-side proof?

Technically, it’s possible: you could develop a system that records consent choices server-side alongside Tarteaucitron. But this represents significant development (API, database, session correlation). Cookilio includes this functionality natively.

How many services does Tarteaucitron support natively?

The open source version supports 100+ preconfigured services (Google Analytics, YouTube, Facebook, Twitter, etc.). The Pro version offers 225+. Cookilio has no preconfigured library: each vendor is manually configured, which offers more control but requires initial configuration work.

GDPR compliance isn’t limited to displaying a banner. It requires being able to prove that consent was collected correctly. That’s where Cookilio makes the difference.

Discover Cookilio — the sovereign CMP with built-in consent proof.