Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Adobe Fonts (formerly Typekit) is a hosted webfont service that ships thousands of professional typefaces via JavaScript and CSS @font-face calls to use.typekit.net. The fonts themselves are loaded from Adobe's global CDN, and Adobe Inc. processes the visitor IP address and request metadata as part of the delivery. Adobe Fonts does not set tracking cookies but the request still constitutes a data transfer to Adobe.
Adobe Fonts (formerly Typekit) is a hosted webfont service included with the Adobe Creative Cloud subscription. Designers select fonts in the Adobe Fonts library, add them to a web project and embed a JavaScript loader or a CSS link tag that points to use.typekit.net. When a visitor opens the page, the browser fetches a small CSS file from Adobe, which in turn requests the actual font files from Adobe servers. The fonts are then declared via @font-face and used by the browser to render text.
Each time a visitor loads a page that uses Adobe Fonts, Adobe receives the visitor IP address, the User Agent, the Referer header, the timestamp of the request and the project identifier embedded in the URL. Adobe Fonts itself does not set cookies on the visitor browser and does not include third party tracking pixels. The personal data exposed to Adobe is therefore essentially the IP address and HTTP metadata generated by the browser when it asks the Adobe CDN for the fonts and the matching CSS file.
IP addresses processed by Adobe Fonts are personal data under the GDPR, and Adobe Inc. is the data controller for this technical telemetry. Because Adobe Fonts does not write information to the device, the ePrivacy storage rule is not triggered and explicit cookie consent is not required for the font request itself. Legitimate interest under Article 6(1)(f) GDPR is the natural legal basis for the technical delivery of fonts, provided that visitors are informed about the United States destination and the fonts are not bundled with marketing scripts that themselves require consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Even when the Adobe CDN serves a font from a European point of presence, Adobe Inc. centralises configuration, logging and support in the United States. Adobe relies on the Adobe Data Processing Agreement, the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and the EU US Data Privacy Framework to legitimise transfers, complemented by TLS 1.3, encryption at rest, ISO 27001 and SOC 2 Type II controls. German courts have repeatedly held that font services with non European delivery can be problematic without explicit information to users, similar to past Google Fonts case law.
Sign the Adobe Data Processing Agreement, list Adobe Fonts in your record of processing activities and add a dedicated section in the privacy notice that explains the use of Adobe Fonts, the legal basis (legitimate interest), the IP address transfer to Adobe Inc. in the United States, the SCC and DPF safeguards and the option for users to disable webfonts in their browser. For maximum risk reduction in the DACH region, consider self hosting font files (Open Font License) instead of loading them from the Adobe CDN.
Websites using Adobe Fonts must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for a small site that only uses Adobe Fonts to render typography. A DPIA is recommended when Adobe Fonts is part of a wider Adobe Experience Cloud stack (Adobe Analytics, Target, Audience Manager) where consistent visitor identification across products could lead to large scale profiling of EU users.
Sample consent text
We use Adobe Fonts, a webfont service operated by Adobe Inc. (USA), to render the typography of this website. Loading Adobe Fonts transfers your IP address and request metadata to Adobe servers, including in the United States. By accepting, you allow this transfer under EU Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
use.typekit.netuse.typekit.netp.typekit.netp.typekit.netfonts.adobe.comuse.edgefonts.netuse.fontawesome.comfonts.adobe.comtypekit.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| typekit | First party (Adobe Fonts JavaScript kit only) | Short lived (1 day) | Coordinates the font swap behaviour when the JavaScript kit is used; not written when only the CSS link integration is used |
| t_gid | Third party (Adobe Fonts Tracker, optional) | 1 year | Tracker identifier used when the optional Adobe Fonts Tracker is activated to attribute font activations to a kit; not written in the standard integration |
Adobe Fonts is an essential service, but transparency matters. Manage all your consent with FlowConsent.
When the CSS link integration is used, Adobe Fonts sets no cookie. The JavaScript kit may write a short lived typekit cookie used internally to coordinate font swap behaviour and a t_gid identifier if the optional Tracker is enabled. The main data flow is the IP plus user agent sent on every uncached font request.
Adobe Fonts itself does not write any cookies on the visitor's browser. The script and CSS files served by use.typekit.net do not set tracking or analytics cookies. Cookies that appear on a site using Adobe Fonts come from other layers (Adobe Analytics, Adobe Target, marketing tags) and must be evaluated separately.
It depends. Adobe Fonts itself does not write tracking cookies, but every uncached font request sends the visitor IP to Adobe servers in the US. The Munich Google Fonts ruling treats this as a personal data transfer needing consent or a documented legitimate interest. The safest approach for European audiences is to gate the kit behind consent or to self host the fonts.
Because Adobe Fonts does not read or write information on the device, the ePrivacy consent rule is not triggered. The transfer of the IP address to Adobe still requires a legal basis, typically legitimate interest under Article 6(1)(f) GDPR, and clear information in the privacy notice. Explicit consent is recommended in jurisdictions with strict case law on US webfont services, such as Germany.
Consent under GDPR art. 6(1)(a) is the safest basis. Legitimate interest under art. 6(1)(f) is defensible when the typeface is essential to brand identity, a documented balancing test is in place and the visitor can opt out. The Munich ruling pushes most operators toward consent or self hosting.
Legitimate interest under Article 6(1)(f) GDPR is the natural legal basis: providing a consistent typography improves the readability and the brand experience of the site. Article 6(1)(b) GDPR (performance of a contract) does not apply to anonymous visitors. Article 6(1)(a) GDPR (consent) can be a safer choice in Germany, given the past Google Fonts case law.
Yes. Font validation and usage telemetry endpoints are operated from US data centres. Adobe is certified under the EU US Data Privacy Framework. A Transfer Impact Assessment under EDPB Recommendation 01/2020 must be on file when Adobe Fonts is loaded by default.
Adobe Inc. signs the EU Standard Contractual Clauses under Article 46(2)(c) GDPR via the Adobe Data Processing Agreement and confirms participation in the EU US Data Privacy Framework. Supplementary measures include TLS 1.3 in transit, encryption at rest, ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II audits and tightly scoped employee access controls.
Usually not for Adobe Fonts alone because the data footprint is limited. A DPIA is recommended when Adobe Fonts is used together with Adobe Analytics or Adobe Experience Platform tags, as the data flows accumulate. Document the decision in your record of processing.
A DPIA is not required for a typical informational website that uses Adobe Fonts only to render typography. A DPIA is recommended when Adobe Fonts is bundled with Adobe Analytics, Adobe Target, Audience Manager or Adobe Real Time CDP, where consistent cross product identifiers could lead to large scale profiling of EU users.
Best path: self host the fonts using the Creative Cloud desktop licence. Alternative: gate the kit script behind functional consent, declare Adobe in the privacy notice, document the legitimate interest test if you choose that basis, and verify the active Data Privacy Framework certification.
Sign the Adobe Data Processing Agreement, document Adobe Fonts in your record of processing activities, add a dedicated paragraph in the privacy notice that names Adobe Inc., describes the legal basis and the US transfer, and links to the Adobe Privacy Policy. Avoid using user specific identifiers in the Adobe Fonts URL and prefer publishing the project ID only.
European or self hosted alternatives include Bunny Fonts (Slovenia, GDPR friendly drop in for Google Fonts), Fontshare (free fonts), the Open Font License catalogue (Inter, IBM Plex, JetBrains Mono) self hosted on your own server or CDN, and commercial foundries like MyFonts or Monotype that allow web kit self hosting.
Self hosted fonts (Google Fonts downloads, fonts.google.com archive, Bunny Fonts, Fontshare, Indestructible Type), Bunny Fonts as a privacy first CDN with EU only delivery, or commercial foundries like FontStand and Monotype with self hosting options. Self hosting is the most defensive choice.
Even if Adobe Fonts writes no persistent cookie, list it as a sub processor with the data flow (IP, user agent, kit ID), mention the US transfer under the Data Privacy Framework, link to the Adobe Privacy Center and indicate whether the kit is loaded conditionally on consent or by default.
Add a section in the privacy notice that explains that fonts are loaded from Adobe Fonts (operated by Adobe Inc., USA), that the loading transfers the IP address and request metadata to Adobe, that the legal basis is legitimate interest under Article 6(1)(f) GDPR, and that transfers are protected by SCCs and the EU US Data Privacy Framework. No entry in the cookie list is strictly required because no cookie is set.