Open-source cookie consent and privacy compliance, honestly reviewed. No marketing fluff, just what you get when you own your consent infrastructure.

TL;DR

What it is: Open-source (GPL-3.0) headless consent management engine — think OneTrust or Cookiebot, but the logic runs in your own bundle and the vendor can’t raise your bill [README].
Who it’s for: Web developers and technical founders who want full control over their cookie consent UX and are tired of paying SaaS consent platforms for a banner they can’t customize [website].
Cost savings: Enterprise consent platforms like OneTrust and Usercentrics run hundreds to thousands of dollars per year. c15t is self-hostable at zero software cost on any server or edge runtime [README].
Key strength: Performance. Their own benchmark puts c15t at 89ms first response vs. Usercentrics at 445ms, OneTrust at 514ms, and Ketch at 709ms — roughly 5–6x faster than the incumbents [website]. The entire library is tree-shakable with minimal bundle impact.
Key weakness: This is a developer-first tool in the most literal sense. There is no admin dashboard you click through, no drag-and-drop banner designer, no “install our tag and you’re done.” If you don’t have a JavaScript developer, you’ll need to hire one to get value from this.

What is c15t

c15t (a numeronym for “consent” — c + 15 letters + t, like i18n for internationalization) is a headless consent engine that handles cookie banner display, user consent state, and privacy compliance across web applications. The pitch on the GitHub README is blunt: “The Developer-First Cookie Banner” [README].

The core idea is that most consent management platforms are black boxes: you load a third-party script, it phones home, it injects a banner you can only half-customize, and it adds 400–700ms of load time because the vendor’s server has to wake up before your user can interact with the page. c15t flips this by putting the consent logic inside your bundle or on your own edge infrastructure, making it fast, customizable, and privacy-respecting by design [website][README].

The project is structured as a monorepo of focused packages rather than one bloated library. The core c15t package is framework-agnostic. @c15t/react and @c15t/nextjs wrap it for those frameworks specifically, supporting React 16.8 through 19 and Next.js 13 through 15 including App Router [README]. There’s a @c15t/backend package with a consent policy engine, geo-location detection, audit logging, and domain management — this is what you’d self-host. A CLI (@c15t/cli) scaffolds the whole thing in seconds. @c15t/scripts handles loading third-party analytics scripts (GTM, Meta Pixel, PostHog, TikTok Pixel, LinkedIn Insights, Microsoft UET, X Pixel) through c15t’s consent gates instead of loading them unconditionally [README].

As of this review the project sits at 1,623 GitHub stars. It presented at Next.js Conf 2025 — the talk title “Why Your Consent Banner Should Be in Your Bundle” is a clean one-line summary of the entire architectural argument [README].

Why people choose it over OneTrust, Cookiebot, and Usercentrics

The consent management SaaS market is one of the more quietly painful corners of the compliance space. GDPR and CCPA created mandatory demand for these tools, which turned them into reasonably profitable businesses that then raised prices, added enterprise tiers, and optimized for contract renewals rather than developer experience. The community quotes on the c15t homepage capture the frustration clearly:

“It blows my mind that no one has fixed this yet. Where have you been all this time?” — @thedavidprice [website]

“It was about time someone did that. Current solutions are too bloated or just sucks.” — @adrgrondin [website]

“Finally, consent management is done end!” — @pepicrft [website]

Three complaints show up repeatedly across developer forums when people discuss the incumbent tools: performance tax (you load a third-party script that adds 400–700ms before the page is interactive), customization walls (you get a limited widget designer, not actual code control), and pricing that scales with your growth (many consent platforms charge per domain, per page view, or per user, so your compliance bill grows alongside your traffic).

c15t’s answer to all three: run in your bundle, expose headless components you fully control, and charge you nothing for the software itself [website][README].

Versus OneTrust. OneTrust is the enterprise incumbent — full-featured, SOC 2 certified, used by large corporations, and priced accordingly. The benchmark shows their banner loads at 514ms vs. c15t’s 89ms [website]. For a high-traffic site, that 425ms difference is real money in conversion rate. For a small business that doesn’t need enterprise audit trails and global policy management, OneTrust is also significant overkill.

Versus Cookiebot. Cookiebot (now part of Usercentrics) is the most common mid-market tool, typically used by agencies deploying it across client sites. It works fine as a plug-and-play solution. But “plug-and-play” means “you get what you get” in terms of UX. If you want a consent banner that actually matches your design system, Cookiebot requires workarounds. c15t’s headless approach means you write your own components using their logic hooks [README].

Versus Osano and CookieYes. These are the price-conscious alternatives in the SaaS tier. They reduce the bill but don’t solve the “someone else runs the logic” problem. Your consent state still depends on their uptime and their pricing decisions [website].

On the self-hosting angle. The @c15t/backend package includes geo-location detection — so you serve the right legal configuration to EU users (GDPR), California users (CCPA), and skip the banner entirely in geographies where it’s not required [website]. This logic running on your own infrastructure means you’re not dependent on a third party to stay compliant.

Features

Based on the README and website content:

Consent engine core:

Headless logic — no UI assumptions baked in [README]
Framework-agnostic core with React and Next.js packages [README]
Server-side rendering support [README]
Consent state management with observable patterns [README]
Automatic GDPR compliance handling [README]

Script management:

Blocks third-party scripts until consent is granted [website]
@c15t/scripts package covers GTM, Meta Pixel, PostHog, TikTok Pixel, LinkedIn Insights, Microsoft UET, X Pixel [README]
Designed to replace the pattern of loading analytics unconditionally [website]

Backend / self-hosted:

Consent policy engine [README]
Geo-location detection for jurisdiction-aware banners [website][README]
Server-side translation [README]
Audit logging [README]
Domain and policy management [README]
REST API [merged profile]

Developer tooling:

@c15t/cli scaffolds configuration, runs database migrations, works across frameworks, provides interactive guided workflows [README]
Changesets-based versioning, Biome for formatting, Vitest for tests [2]
Full TypeScript throughout [README]
@c15t/translations for type-safe i18n with modular imports [README]

UI components (optional):

Pre-built React consent banner and dialog components [README]
Headless by default — bring your own CSS [website]
The website demos show the banner in multiple color schemes, languages, and configurations [website]

What it doesn’t include:

A visual admin dashboard for non-developers
A tag manager — it works alongside GTM but doesn’t replace it
A scan-and-auto-categorize feature that the SaaS platforms use to auto-detect cookies on your site

Pricing: SaaS vs self-hosted math

The c15t website does not publish a detailed pricing page at the time of this review — the hosted/cloud offering terms are not publicly listed in the scraped data. What is clear: the open-source packages are free, and the self-hosted path has no software licensing cost [README].

Self-hosted:

Software: $0 (GPL-3.0) [README]
Infrastructure: whatever you’re already running your app on — c15t can run on your existing server, serverless functions, or edge runtime
Additional server cost if isolated: $0–$5/month for a basic VPS

Consent SaaS incumbents for comparison (from publicly available pricing, not scraped from c15t sources):

Cookiebot/Usercentrics: typically $8–$20/month per domain for small sites; jumps steeply for high-traffic or multi-domain setups
OneTrust: enterprise contracts, typically $1,000+/year even at the entry tier
Osano: starts at $99/month
CookieYes: free tier available; paid from $10/month

For a founder running two or three domains with moderate traffic, the SaaS cost is $200–$600/year for tools that are slower, less customizable, and outside your infrastructure. Self-hosting c15t with an existing server costs $0 in incremental fees.

The license nuance worth reading. c15t is GPL-3.0, not MIT. GPL-3.0 is a copyleft license — if you distribute software that incorporates c15t, that software must also be GPL-3.0. For an internal tool or a website, this is irrelevant. For a SaaS product you sell that embeds c15t as a component, you’ll want a lawyer to review whether distribution applies to your use case. The contributing guide separately notes that contributions are accepted under Apache 2.0 [2], which is a different license entirely — a detail that suggests the project may be in the process of clarifying its licensing model. Worth asking the maintainers directly before building a commercial product on top of it.

Deployment reality check

The @c15t/cli path is genuinely fast for a developer. npx @c15t/cli scaffolds the integration, and the homepage claims “Get Started in 30 seconds” [website]. The npm package install, framework wrapper, and component drop-in are clean for a Next.js or React project.

What the fast path requires:

Node.js environment
A Next.js or React project already running
Basic familiarity with environment variables and npm packages

Self-hosting the backend (@c15t/backend):

Requires a server or edge runtime
Database for storing consent records (the CLI handles migrations) [2][README]
The backendURL environment variable pointed at your instance [website]
The contributing guide references PostgreSQL-style migrations via the CLI [2]

What can go wrong for a non-technical founder:

The “30 seconds” claim assumes you have a JavaScript developer. If you don’t, you’ll be stuck at step one — there’s no CMS plugin, no WordPress integration, no “paste this tag into your header” option.
The self-hosted backend is not a one-click deploy — you manage the database and server yourself.
GPL-3.0 implications (see Pricing section above) need to be verified for commercial use cases.
The project is young (1,623 stars as of this review) with a relatively small community compared to mature tools. Support comes via Discord and GitHub Issues [README].

Realistic time estimate for a developer: 30–60 minutes to a working Next.js integration pointing at the c15t cloud or a self-hosted backend. For a non-technical founder without developer support: not a DIY project.

Pros and Cons

Pros

Performance benchmark is striking. 89ms vs. 445–709ms for the incumbent SaaS platforms [website]. On a site with significant traffic, this is not a cosmetic difference — it affects Lighthouse scores, Core Web Vitals, and conversion.
Actually headless. You write your own components. The consent state is just logic and hooks. You can make the banner look like it was always part of your design system, because it is [README][website].
Framework-agnostic core with excellent React/Next.js wrappers. Supports the full range of modern Next.js (App Router, Pages Router, server components) [README].
Script-loading system included. @c15t/scripts handles the most common analytics vendor scripts behind consent gates, which is usually where the compliance holes are in DIY setups [README].
Geo-location aware out of the box. Serve GDPR-compliant banners to EU users, CCPA dialogs to California users, and nothing to geographies that don’t require it [website].
CLI scaffolding reduces setup time significantly compared to building a consent system from scratch [README][website].
No per-pageview or per-domain pricing. Self-hosted is free; any hosted tier doesn’t meter based on traffic volume [website].
Active development. Presented at Next.js Conf 2025; the GitHub shows active commit history; community is growing [README].

Cons

GPL-3.0 is a meaningful restriction for commercial products. MIT it is not. If you’re building a product that ships c15t as embedded code to customers, you need to understand what GPL-3.0 requires [README]. The contributing guide adding Apache-2.0 for contributions adds confusion, not clarity [2].
No non-developer path. No admin UI, no tag-manager-style integration, no “paste this script” option. You need a developer to configure and deploy this [website][README].
Small community. 1,623 stars is early. Compare to OneTrust (no open-source equivalent) or even the open-source CMP space where projects with 10k+ stars have more community-tested edge cases. You may hit a bug that no one else has reported yet.
Backend self-hosting requires operational maturity. Running @c15t/backend means you own the database, the migrations, the uptime, and the GDPR-compliant storage of consent records. If your consent database goes down, you have a compliance problem.
No auto-scan feature. SaaS platforms typically scan your site and auto-categorize cookies. c15t requires manual configuration of what cookies exist and what category they fall into [README][website].
Licensing ambiguity. GPL-3.0 in the repo but Apache-2.0 mentioned for contributions [2] — until this is resolved unambiguously, commercial users are in an uncertain position.

Who Should Use This / Who Shouldn’t

Use c15t if:

You’re a developer or have a developer on staff who can own the integration.
You’re building a React or Next.js application and want a consent banner that actually matches your design system.
You’re currently paying $100–$500+/year for a SaaS consent platform and the performance hit bothers you.
You want consent logic running on infrastructure you control, with full audit logging you own.
Privacy is a genuine product value (you’re building in healthcare, fintech, or for privacy-conscious users), not just a checkbox.

Skip it (use a SaaS tool) if:

You’re non-technical and can’t hire a developer for the integration.
You need a working compliance banner in the next two hours and you’re not a JavaScript developer.
Your site runs on WordPress, Squarespace, Webflow, or another platform without direct npm access.
You need auto-scan cookie categorization — c15t doesn’t do this.

Skip it (stay on Cookiebot/CookieYes) if:

Your developer capacity is zero and the current SaaS tool “just works.”
You need the scan-and-auto-categorize feature that SaaS platforms provide.
You need a compliance audit trail managed by a vendor with a signed DPA and enterprise SLAs.

Check the license before proceeding if:

You’re building a commercial SaaS product that will include c15t as part of the distributed software. GPL-3.0 copyleft may require your product to also be GPL-3.0. Verify with legal counsel.

Alternatives Worth Considering

Osano — Paid SaaS, starts at $99/month, but provides auto-scan, vendor management, and a DPA. For non-technical teams that need to prove compliance to enterprise customers, the price is worth it.
Cookiebot (Usercentrics) — The market default for agencies and mid-market. Per-domain pricing, reasonable setup time, no technical skills needed. Slower, less customizable, but works without a developer.
CookieYes — Cheaper SaaS option with a free tier. Lacks the customization of c15t but no developer required.
Klaro — Another open-source consent manager (MIT license). Less performance-focused than c15t, older codebase, but battle-tested and with more community resources for debugging edge cases.
Tarteaucitron.js — Open-source, used heavily in the French market, integrates directly with Google Analytics, YouTube, etc. Not headless, but well-maintained for European compliance use cases.
Rolling your own — For a single-framework app with a small cookie footprint, a custom implementation using localStorage and a few conditional script loads takes a developer a day and costs nothing. Worth considering before adding a dependency.

For a developer-led team on Next.js that cares about performance and design control: c15t vs. Klaro is the real open-source choice. c15t wins on performance and modernity; Klaro wins on maturity and MIT licensing.

Bottom Line

c15t is the first genuinely well-engineered open-source approach to a problem that the SaaS consent management industry has been charging too much to solve badly for years. The performance numbers are real — loading a consent banner from a third-party CDN on every page load adds 400–700ms of overhead that c15t eliminates by design. The headless architecture and TypeScript-first approach are correct calls. For a developer team on a React or Next.js stack that’s paying for OneTrust, Usercentrics, or similar and watching their Lighthouse scores suffer, the migration case is straightforward.

The honest caveat: this is a tool built by developers for developers, and the “developer-first” branding is not a soft hedge. Non-technical founders can’t self-deploy this without help. The GPL-3.0 license needs to be understood before building commercial products on top of it. And at 1,623 stars, this is still an early-stage project — you’re an early adopter, not a late adopter. The quality of the engineering is high for the stage, but community support, documentation depth, and edge-case coverage will grow over time. If the consent banner being 5x faster and living entirely in your infrastructure matters to your product, c15t is worth the developer time to integrate. If you need a banner working by end of business today without writing code, it isn’t the right tool yet.

Sources

c15t Community Code of Conduct — c15t.com. https://c15t.com/docs/oss/code-of-conduct
Contributing to c15t.com — c15t.com. https://c15t.com/docs/oss/contributing
c15t GitHub Repository and README — github.com. https://github.com/c15t/c15t
c15t Official Website and Homepage — c15t.com. https://c15t.com

Primary sources:

GitHub repository: https://github.com/c15t/c15t (1,623 stars, GPL-3.0 license)
Official website: https://c15t.com
npm packages: https://www.npmjs.com/package/c15t

Features

Integrations & APIs

REST API

Replaces

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0