Does your website use third-party services? Get GDPR compliant in minutes.

Lucide

What does Lucide do?

Lucide is a popular open source icon library, originally forked from Feather Icons, made up of around 1500 minimalist SVG icons. Designers and developers embed Lucide icons through a JavaScript package, a webfont or, very commonly, by hot linking the SVG files from a public CDN such as jsDelivr or unpkg. Lucide itself sets no cookies and uses no tracking, but loading the assets from a third party CDN exposes the visitor IP address to a US based operator, which can require a CMP entry under GDPR.

What Lucide is

Lucide is a community maintained open source icon library, originally forked from Feather Icons in 2020 and now containing approximately 1500 minimalist SVG icons. The project is released under the ISC licence and ships as an npm package, a web component, a React, Vue, Svelte and Solid wrapper, and as raw SVG files. Lucide is widely used by SaaS dashboards, design systems and developer documentation portals because it offers a consistent stroke and a permissive licence.

What data and cookies Lucide collects

Lucide itself collects nothing. It does not include analytics, does not set cookies, does not fingerprint the visitor and does not phone home. The only personal data involved is the HTTP request metadata (IP address, User Agent, Referer) that is naturally observable by the server delivering the SVG or JavaScript file. When Lucide is self hosted on the operator infrastructure this metadata stays under the operator control. When it is loaded from a public CDN such as jsDelivr or unpkg, that metadata is observable by the CDN operator.

GDPR and ePrivacy implications

Because no information is stored or read on the visitor device, the ePrivacy strictly necessary rule does not even need to be invoked: Article 5(3) ePrivacy Directive only applies to storage or access on terminal equipment. The GDPR still applies to the IP address that is shared with the CDN when the file is loaded externally. Following the Schrems II ruling and the case law on Google Fonts in Germany, sending an EU visitor IP to a US CDN without clear information or legal basis has been flagged as a risk, even though the impact is very limited.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent requirements and legal basis

When Lucide is self hosted, the operator can rely on legitimate interest under Article 6(1)(f) GDPR to serve the icons because the impact on the visitor is minimal and the assets are necessary to render the page. When the icons are loaded from a third party CDN the simplest path to compliance is to self host them or to use a CDN with EU presence. If a US CDN remains in use, a clear mention in the privacy notice plus a consent gate on first request is a defensible approach, especially for German audiences sensitive to the Google Fonts case law.

Data transfers and hosting

jsDelivr is operated by Prospect One in Poland but uses Fastly and Cloudflare as edge networks, both with US headquarters and worldwide PoPs. unpkg is operated by NPM Inc. (subsidiary of Microsoft, United States) and uses Cloudflare. As a result, requests issued by EU visitors to fetch Lucide assets can be routed through US edges and are observable by US controllers. Self hosting on the operator origin or using an EU only CDN (Bunny CDN with EU only zones, Scaleway Edge) eliminates the third country exposure.

Practical compliance steps

The easiest compliant pattern is to bundle Lucide locally with your build pipeline so the icons are served from the same origin as the rest of the site. If using a CDN is preferred, choose one with an EU only routing option, or document the CDN in your privacy notice as a recipient and rely on Standard Contractual Clauses or the EU US Data Privacy Framework. Because Lucide sets no cookies, no CMP toggle is technically required, but listing it as a third party resource is best practice.

GDPR consent category

Other

Websites using Lucide must obtain user consent under GDPR regulations.

Legal basisLegitimate interest (Art. 6(1)(f) GDPR) for serving static visual assets, combined with consent (Art. 6(1)(a) GDPR) where icons are loaded from a public CDN that exposes the visitor IP address to a third country operator.

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive, TTDSG (Germany), Schrems II case law on third country transfers

DPIA considerations

A DPIA is not required for using Lucide icons. The library does not set cookies, does not track users and does not transmit personal data beyond the standard HTTP request metadata that any CDN observes. The only mild privacy consideration is the IP address exposed to the CDN, which is shared with all external assets and is well below the threshold of Article 35 GDPR.

Sample consent text

We use Lucide, an open source icon library, to display the small icons in our user interface. The icons are loaded from a public CDN (jsDelivr or unpkg), which means your IP address is shared with that CDN to deliver the files. Lucide itself does not place any cookie or tracker on your device.

Technical details

Tracking methodStatic SVG and JavaScript icon assets served over a public CDN (jsDelivr or unpkg); no cookies or tracking pixels

Server locationGlobal CDN edge (jsDelivr on Fastly and Cloudflare; unpkg on Cloudflare) with backend origins in the United States

Cookieless tracking availableYes

Data transferred outside the EULucide is an open source icon library typically served over public CDNs (jsDelivr operated by Prospect One, unpkg by NPM Inc.). When a visitor loads a page that fetches Lucide icons, their IP address and User Agent are exposed to the CDN edge they hit, which can be located outside the EEA, including the United States. The CDN providers may log these requests for traffic shaping and DDoS protection.

Third-party domains contacted

lucide.devcdn.jsdelivr.netunpkg.comesm.sh

Cookies placed

Name	Type	Duration	Purpose
no_cookies	first_party	N/A	Lucide itself does not set any cookies. This entry exists for inventory completeness; when Lucide is loaded from a third party CDN, that CDN may set its own operational cookies, which should be documented under the CDN entry, not under Lucide.

This service may collect user data. Ensure GDPR compliance with FlowConsent.

Get started free Scan your site

Frequently asked questions

Does Lucide set any cookies?

No. Lucide is a static SVG and JavaScript icon library that does not set cookies, does not write local storage and does not fingerprint the visitor. The only data exposed is the HTTP request metadata (IP address, User Agent, Referer) that any server observes when a file is fetched, and that is processed by the operator origin or by the CDN where Lucide is hosted.

Is consent required to use Lucide?

Consent is not required when Lucide is self hosted on the operator infrastructure: there is no storage on the visitor device and no third party transfer. Consent becomes a topic when Lucide is loaded from a public CDN such as jsDelivr or unpkg, because the visitor IP is exposed to the CDN. In Germany, after the Google Fonts case law, even passive third country transfers of IP addresses can be considered problematic without information and a legal basis.

What is the legal basis for using Lucide?

For self hosted Lucide, the legal basis is legitimate interest under Article 6(1)(f) GDPR, because the icons are necessary to render the user interface and the impact on the visitor is minimal. For CDN hosted Lucide, the safest pattern is either to keep relying on legitimate interest with a clear transparency notice or, where doubt remains, to gate the loading behind a consent toggle in the functional category of your CMP.

Does Lucide transfer data to the United States?

Lucide itself does not transfer data. The CDNs commonly used to host Lucide (jsDelivr through Fastly and Cloudflare, unpkg through Cloudflare) operate edge servers worldwide, including in the United States, and have US controllers in their corporate chain. As a result loading Lucide from these CDNs can expose the visitor IP to a US controller. Self hosting or using an EU only CDN avoids this exposure.

Is a DPIA required for Lucide?

No. Lucide does not perform profiling, automated decision making, large scale processing of sensitive data, systematic monitoring of public spaces or any of the other Article 35 GDPR criteria. The only personal data involved is the standard HTTP request metadata visible to any web server, so the threshold for a mandatory DPIA is not met.

How do I use Lucide compliantly?

Bundle Lucide locally with your build system, so the SVG or JavaScript assets are served from your own domain. If a CDN is required for performance reasons, choose one with an EU only routing option or list the CDN in your privacy notice as a recipient. Document the choice in your data inventory and treat the topic the same way you treat any other static asset served from a third party.

What are the alternatives to Lucide?

Direct alternatives are Feather Icons (the parent project of Lucide), Heroicons (by Tailwind Labs), Tabler Icons, Phosphor Icons, Iconoir and Remix Icon. All of them ship as SVGs or icon fonts and can be self hosted with the same compliance profile as Lucide. For pictogram heavy use cases Font Awesome (commercial and free tiers) is another mainstream option.

How do I document Lucide in the cookie policy?

You do not need to add a cookie entry because Lucide sets no cookies. If you load Lucide from a public CDN, add a short note in the privacy notice under third party resources, mentioning the CDN provider (jsDelivr or unpkg), the fact that the visitor IP is shared with the CDN to deliver static files and the legal basis (typically legitimate interest, sometimes consent for German audiences).

Get compliant — Try FlowConsent free

Free plan · 10-min setup