Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Klaro is an open source, self hosted JavaScript consent manager developed by KIProtect GmbH in Berlin that blocks third party tags until the visitor records a granular opt in, with no managed backend or data transfer.
Klaro is the open source consent management platform published by KIProtect GmbH (Berlin) since 2018 under the BSD 3 Clause license. It is delivered as a small JavaScript library (about 35 kilobytes minified) that the publisher hosts on its own server, plus a JSON configuration that declares the services to load and their categories. Klaro renders a banner, a modal preference centre and granular toggles per service or category, and exposes a clean JavaScript API to gate the loading of every analytics, advertising and social tag.
Klaro writes a single first party cookie on the publisher domain named klaro (default expiration 120 days, configurable up to 13 months under the CNIL recommendation). The cookie value is a JSON object encoding the choices per service, version of the configuration, and timestamp. Alternatively the library can store the decision in localStorage instead of a cookie. No external request is made; the library is fully client side and the configuration is read from the publisher own static asset.
Klaro ships sensible defaults that align with CNIL deliberation 2020 091 and EDPB guidelines 03/2022 on deceptive design: a Refuse all button at the same visual level as Accept all, a granular preference modal, no scroll equals consent behaviour and a configurable consent expiration. The publisher controls every word in the banner through the translations object and can integrate Klaro with the IAB TCF 2.2 stub when needed.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Self hosted Klaro generates zero outbound requests to KIProtect or any third party. The optional managed dashboard Klaro Cloud (hosted in Germany) receives aggregated consent metrics if explicitly enabled by the publisher, but the visitor data remains in Germany. No transfer to the United States or other third countries occurs in standard configuration.
Host the Klaro library on your own server. Define every service in the JSON configuration with its purpose, category, retention and required flag. Map the data-name attribute of each script tag to the matching service id so Klaro can gate them before consent. Configure mustConsent: false and acceptAll: true to align with the CNIL refuse all requirement. Document the configuration JSON in your records of processing (GDPR art. 30) and version it in Git so you keep evidence of the consent texts over time. Keep the configuration up to date when adding or removing third party services.
Direct alternatives in the open source space include Cookie Consent by Orest Bida (MIT, vanilla JavaScript), Tarteaucitron (France, GPL), Cookie Notice for WordPress, Civic CookieControl free tier and Cookie Solution by Iubenda free tier. Commercial European CMPs covered in detail elsewhere are Axeptio, Cookiebot, Didomi, CookieFirst and Complianz.
Websites using Klaro must obtain user consent under GDPR regulations.
DPIA considerations
No DPIA needed for Klaro itself. It is a privacy enhancing tool that processes only consent decisions locally.
Sample consent text
This site uses Klaro, an open source consent management library from KIProtect GmbH (Berlin). Klaro runs entirely in your browser and stores your consent decision in a first party cookie named klaro on this domain. No consent data is sent to KIProtect or to any third country. The Klaro library itself is strictly necessary to manage your privacy preferences and runs without your consent. Each individual service (analytics, advertising, social) only loads after you accept the corresponding category in the Klaro banner.
Third-party domains contacted
(self hosted, no third party domain by default)kiprotect.comkiprotect.comheyklaro.comheyklaro.comklaro.kiprotect.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| klaro | first_party | 12 months (or localStorage) | Stores the user consent record: categories accepted or rejected, timestamp, and consent version. Set as a first party cookie or, by default, as a localStorage entry under the same key. Required to apply the user choice on every page load. |
| klaro | http_cookie | 12 months | Strictly necessary first party cookie that stores the visitor consent decision (configuration hash, granular per service choice, timestamp) so the banner does not reappear while the consent is valid. |
| klaro | First party (Klaro) | 120 days (configurable) | Stores a JSON encoded object with the consent decisions per service. |
| klaro | local_storage | 12 months | Optional local storage variant used by Klaro when the controller prefers to avoid cookies; contains the same payload as the http cookie version. |
| klaro_session | http_cookie | Session | Strictly necessary session cookie that records whether the banner has already been shown during the current browsing session before a long term choice is recorded. |
Klaro is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Klaro sets a single first party cookie called klaro (or a local storage key if you configure it that way), valid for 12 months by default. It contains the configuration hash, the granular per service decision and a timestamp. No tracking cookie is set by Klaro itself; the library only governs the cookies of other services.
A single first party cookie named klaro (or any name you configure) containing the JSON encoded consent decisions for each service. Default lifetime is 120 days.
No. The Klaro preference cookie falls under the strictly necessary exemption of Article 5(3) ePrivacy because it stores the user choice that was explicitly requested. Consent is required only for the third party services governed by Klaro, not for the consent layer itself.
No. Klaro is a strictly necessary CMP and can be loaded before any consent decision. It must then block all non essential scripts until the visitor accepts.
Legitimate interest under Article 6(1)(f) GDPR is the appropriate basis for the controller, combined with the legal obligation under Article 5(3) ePrivacy and Article 7(1) GDPR to obtain and document consent for any non essential trackers. Klaro itself only stores the consent decision needed to evidence that obligation.
Legitimate interest (Art. 6(1)(f) GDPR) for operating the CMP, plus legal obligation (Art. 6(1)(c) GDPR + Art. 7(1)) for the proof of consent.
No. Klaro is a fully self hosted JavaScript library distributed under BSD 3 Clause. It does not contact KIProtect or any external party. Unless the controller subscribes to the optional Klaro Cloud add on, no data leaves the controller infrastructure.
No. Klaro is self hosted from your own infrastructure. The optional commercial offer heyklaro.com runs from Berlin (Germany). There is no transfer outside the EU.
A standalone DPIA is not required because Klaro processes only the strict minimum to record consent. If the overall stack triggers a DPIA (for example because it includes advertising pixels or large scale profiling), Klaro should be documented inside it as a mitigation control that gates higher risk processors.
No. Klaro is a privacy enhancing tool that only processes the consent decision locally.
Serve klaro.js from your own domain in the head, with the data klaro config attribute pointing to your JSON configuration. Set default = false on every non essential service, declare each tracker with translated descriptions, and use the onAccept and onDecline callbacks to wire Google Consent Mode v2. Treat the configuration file like code: review it, version it, and replay it during audits.
List every script in the Klaro configuration with category, callback, and contextual blocker rules, host klaro.js from your own domain, enable equal weight Accept/Decline buttons, integrate with Google Consent Mode v2 if needed, and document Klaro in your Article 30 record.
Complianz (Netherlands, WordPress), CookieHub (Iceland), Cookiebot (Denmark), Usercentrics (Germany), Axeptio (France), CookieFirst (Netherlands), Didomi (France), Orejime (open source fork). Klaro itself is one of the most popular EU open source CMPs.
Other self hosted, privacy first CMPs include orestbida cookieconsent (vanilla JavaScript, MIT), Tarteaucitron (PHP and JavaScript, French), Cookie Consent v3 from Osano, CookieKit and Drupal EU Cookie Compliance. For managed alternatives consider CookieFirst, Cookiebot, Iubenda, Didomi and Axeptio.
Treat the Klaro configuration as the source of truth: every new third party service must be added there before being deployed. Cross check the configuration with an external scanner (CookieMetrix, 2GDPR, CookieServe) on a monthly basis to detect cookies that bypass Klaro, and regenerate the public cookie policy automatically from the same JSON file with a small build script.
List the klaro cookie with name, retention and purpose (consent storage). Mention that the CMP is self hosted and that no third party tracking is performed by Klaro itself.