Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
The lazysizes unveilhooks plugin extends the lazysizes JavaScript library to lazy load non image elements such as background images, iframes, scripts, video and audio. It is a client-side performance helper that does not set cookies, does not collect personal data and does not transfer information to its own backend. Merchants typically deploy it from their own bundle or from a public CDN such as jsdelivr or unpkg to defer the loading of media until it becomes visible in the viewport.
The lazysizes unveilhooks plugin is an official extension for lazysizes, an open source JavaScript lazy loading library distributed under the MIT license by aFarkas on GitHub. The base library handles deferred loading of img and picture elements. The unveilhooks plugin adds support for other resource types, including CSS background images, iframes, scripts, video and audio. It runs entirely in the visitor browser, listens for elements that enter the viewport and then triggers their actual loading. The plugin is normally bundled into the merchant own JavaScript or loaded from a public CDN such as jsdelivr or unpkg.
The lazysizes unveilhooks plugin does not set any cookies, does not write to localStorage and does not send telemetry to its authors. It does not contact any backend operated by the lazysizes project. The only network requests it triggers are requests for the resources that the merchant has declared in the page markup, such as image URLs, iframe sources, script sources, video and audio files. These requests would happen anyway when the page is rendered. The plugin only changes the timing, deferring the request until the element becomes visible.
Under the ePrivacy Directive, prior consent is required when a service stores information on or accesses information from the visitor terminal, unless the storage is strictly necessary to deliver a service explicitly requested by the user. The lazysizes unveilhooks plugin does not store or access information on the device. Under GDPR, a legal basis is needed only when personal data is processed. The plugin does not process personal data as such, it only schedules resource loads. As a result, the plugin itself can be used without a consent banner entry and relies on Article 6(1)(f) legitimate interest of the controller in providing fast and responsive pages.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The fact that the plugin itself is consent free does not change the compliance status of the resources it lazy loads. A YouTube iframe, a Vimeo player, a Google Maps embed, a third party analytics tag or any external widget loaded through unveilhooks is still subject to the consent and legal basis rules of that specific provider. Merchants must continue to gate such embeds behind consent, for example by only inserting the iframe markup after the user has accepted the relevant cookie category, regardless of whether lazysizes is used to defer the actual load.
The plugin can be served from the merchant own domain, bundled inside the main JavaScript build, or fetched from a public CDN such as cdn.jsdelivr.net or unpkg.com. When served from a third party CDN, the visitor browser sends an HTTP request to that CDN, which involves the transmission of the IP address and basic request headers. This is a minor technical processing typically covered by legitimate interest. Merchants who want to remove any third party request can self host the plugin, in which case no external domain is contacted by the plugin itself.
Even though no consent banner entry is required, it is good practice to mention the lazysizes unveilhooks plugin in the technical section of the privacy policy. A short paragraph is enough, stating that the website uses lazysizes and the unveilhooks plugin to defer the loading of images, iframes, scripts, video and audio, that this component does not set cookies and does not send data to its publisher, and that the merchant self hosts it or uses a named CDN. This makes the lazy loading mechanism transparent for auditors and visitors.
Websites using lazysizes unveilhooks plugin must obtain user consent under GDPR regulations.
DPIA considerations
A formal DPIA under Article 35 GDPR is not required for the lazysizes unveilhooks plugin itself, because it does not process personal data, does not set cookies and does not transfer data to its publisher. The plugin only schedules the loading of resources already present in the merchant page markup. A risk review is still advisable for the resources it lazy loads, since embedded iframes, third party scripts, video and audio assets may themselves trigger personal data processing, set cookies or transfer data to third countries, in which case the underlying service must be assessed separately.
Sample consent text
No consent banner entry is required for the lazysizes unveilhooks plugin itself. If your privacy policy lists technical components, you can describe it as follows. We use the lazysizes unveilhooks plugin, a client-side JavaScript helper that defers the loading of images, iframes, scripts, video and audio until they enter the viewport. This component does not set cookies, does not collect personal data and does not send information to its publisher. Lazy loaded resources such as embedded videos or third party widgets are described separately under the relevant providers.
Third-party domains contacted
cdn.jsdelivr.netunpkg.com(none if self hosted, the plugin itself does not contact any domain operated by the lazysizes project)Cookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| (none) | Not applicable | Not applicable | lazysizes unveilhooks does not set cookies. Cookies may be set by the resources it lazy loads, for example embedded videos or third party widgets, and must be evaluated separately under the relevant provider. |
lazysizes unveilhooks plugin collects user analytics data — you legally need a consent banner. Try FlowConsent free.
The lazysizes unveilhooks plugin does not set any cookies. It is a client-side JavaScript helper that only schedules the loading of images, iframes, scripts, video and audio when those elements enter the viewport. It does not write to cookies, localStorage, sessionStorage or any other browser storage. Any cookies that appear after the plugin runs come from the lazy loaded resources themselves, for example a YouTube iframe or a third party widget, and those services must be declared and assessed separately under the relevant provider.
No, the plugin itself does not require user consent under the ePrivacy Directive or the GDPR. It does not store or access information on the visitor terminal and does not process personal data. It can therefore run before any consent decision. However, the resources it lazy loads may themselves require consent. An embedded YouTube or Vimeo iframe, a Google Maps embed, a third party analytics script or a marketing widget loaded through unveilhooks must still be gated behind consent for the cookie category they belong to, exactly as they would be without lazysizes.
Since the plugin does not process personal data as such, no specific legal basis is strictly needed for the plugin itself. To the extent that serving the script involves any minor processing, for example logging an IP address by a CDN that hosts the script, this is best documented under Article 6 1 f of the GDPR, the legitimate interest of the controller in providing a fast, responsive website that respects users connection and battery resources. This documentation does not replace the legal bases that must be established for any embedded third party services that the plugin happens to lazy load.
The plugin itself does not transfer any data outside the EU because it does not communicate with any backend operated by the lazysizes project. If the merchant chooses to load the script from a public CDN such as cdn.jsdelivr.net or unpkg.com, the visitor browser will contact that CDN, which may route requests through edge nodes outside the EU and process the IP address as a connection metadatum. To avoid this entirely, the script can be self hosted from the merchant own domain, in which case no third country transfer is triggered by the plugin. Outbound requests to lazy loaded resources, such as embedded videos or external scripts, are governed by those individual services.
A formal data protection impact assessment under Article 35 of the GDPR is not required for the lazysizes unveilhooks plugin itself. The plugin is a deterministic client-side helper that does not process personal data, does not profile users and does not make automated decisions. It does not meet the criteria that trigger a mandatory DPIA. A lightweight risk note in the record of processing activities is enough. A DPIA may be required for some of the underlying services that the plugin happens to lazy load, such as video platforms with cross border transfers, but that assessment relates to the embedded service, not to lazysizes.
To deploy the lazysizes unveilhooks plugin compliantly, first decide whether to self host the script or to load it from a public CDN. Self hosting from the merchant own domain is the most conservative option and avoids any third country exposure. If a CDN is used, document the choice in the privacy policy and prefer CDNs with EU edge nodes. Second, ensure that any markup the plugin lazy loads, such as iframes for video platforms or scripts for third party widgets, is only inserted into the DOM after the user has accepted the corresponding cookie category. Third, list the plugin briefly in the technical components section of the privacy policy and confirm that it does not set cookies and does not transmit data to its publisher.
Modern browsers support native lazy loading via the loading attribute on img and iframe tags, which removes the need for any JavaScript helper for those two element types. For background images, scripts, video and audio, native loading attributes do not exist, and the unveilhooks plugin remains a useful approach. Alternatives in the same niche include the IntersectionObserver API used directly in custom code, the vanilla-lazyload library, and yall.js. All these alternatives share the same compliance profile when configured without telemetry, so the choice is largely a matter of feature set, bundle size and developer ergonomics rather than data protection.
You do not need to add the lazysizes unveilhooks plugin to the cookie banner because it does not set cookies. In the cookie policy and the technical components section of the privacy policy, add a short paragraph that states that the website uses lazysizes and the unveilhooks plugin to defer the loading of images, iframes, scripts, video and audio until they enter the viewport, that this component does not set cookies, does not collect personal data and does not send information to its publisher, and that the script is self hosted or served from a named CDN. Keep the cookie banner focused on the services that actually set cookies or store data on the device.