Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Adobe Fonts (formerly Typekit) is Adobe's subscription web font service. It serves thousands of fonts to websites through a JavaScript embed or CSS link loaded from use.typekit.net. Each visit transmits the visitor's IP address and browser metadata to Adobe servers in the United States, making it subject to GDPR and ePrivacy rules in the same way as Google Fonts.
Adobe Fonts, formerly known as Typekit, is a subscription web font service operated by Adobe Inc. It is bundled with most Adobe Creative Cloud plans and gives designers access to thousands of fonts that can be embedded on websites. The fonts are delivered through a small JavaScript snippet or a CSS link that references use.typekit.net. When a visitor opens a page that uses Adobe Fonts, the browser requests the font files and a configuration script directly from Adobe servers in the United States.
Loading fonts from Adobe transmits the visitor''s IP address, the requested page URL (Referer header), the User Agent string, and request timing metadata to Adobe servers. Adobe also uses a tracking pixel on p.typekit.net to count font usage for billing and reporting purposes. While Adobe states that font requests are not used to build advertising profiles, the IP address is personal data under the GDPR and the transfer to the United States triggers the same legal questions raised by the German Google Fonts rulings.
Article 5(3) of the ePrivacy Directive requires consent before storing or reading information on a user''s device. The CSS and JavaScript loaded from Adobe Fonts is normally cached by the browser and the p.typekit.net pixel can set short lived tracking identifiers, both of which fall inside the scope of the cookie rules in most EU jurisdictions. Under the GDPR, the cross border transfer of IP addresses to the United States must rest on a valid Article 46 mechanism, which today means Standard Contractual Clauses or the EU US Data Privacy Framework certification that Adobe joined in July 2023.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Most European regulators treat third party web fonts the same way as Google Fonts: prior consent is the safest position because the request is not strictly necessary to display content and the IP address is shared with a US controller. In Germany, the Munich Regional Court ruling LG Munich I, 3 O 17493/20 in January 2022, although focused on Google Fonts, is widely interpreted as applying to any externally hosted font service that transfers IP addresses. The French CNIL takes a similar line. In practice, Adobe Fonts should be blocked until the visitor accepts the relevant consent category, typically the functional or preferences category.
Adobe Inc. is headquartered in San Jose, California and processes Adobe Fonts requests from US infrastructure. Adobe self certified under the EU US Data Privacy Framework in July 2023, which provides a Commission adequacy decision for data flows to certified US recipients. For controllers in the EU and EEA, Adobe also offers Standard Contractual Clauses through its General Terms for Adobe Subscription Services. Both mechanisms should be referenced in the privacy policy, together with the categories of data transferred (IP, URL, User Agent) and the retention period applied by Adobe.
The recommended approach is to block the Adobe Fonts embed until consent is captured, declare Adobe Inc. as a processor and US recipient in the privacy policy, and document the SCC or DPF reliance. Where consent is undesirable, a self hosted alternative such as serving Adobe licensed fonts from your own domain (where permitted by your Adobe Fonts plan) or switching to a self hostable open font (Inter, Roboto, IBM Plex) removes the transfer entirely. The consent banner should expose Adobe Fonts in a granular preferences category so that users can opt out without losing functional cookies.
Websites using Adobe Fonts (Typekit) must obtain user consent under GDPR regulations.
DPIA considerations
A formal DPIA is generally not required for Adobe Fonts on a typical website, but the cross border transfer of IP addresses to the United States must be documented in the record of processing activities (Art. 30 GDPR). Where Adobe Fonts is combined with other tracking on the same page, the cumulative privacy impact should be assessed.
Sample consent text
We use Adobe Fonts (Typekit) to display web fonts on this site. Loading these fonts sends your IP address to Adobe Inc. in the United States. Do you accept?
Third-party domains contacted
use.typekit.netp.typekit.netfonts.adobe.comtypekit.comuse.typekit.comdemdex.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| typekit.previewing | session | Session | Indicates that a Typekit preview is being shown for the current session in design tools and during font selection. |
| p.typekit.net request log | pixel/log | Logged on server, no persistent client cookie | Adobe records a server side log of font requests including IP, User Agent and Referer for billing, abuse prevention and usage analytics. No long lived client cookie is set, but the request itself transmits personal data. |
| AMCV_<ID>@AdobeOrg | third party | 2 years | Set on adobe.com sub properties (fonts.adobe.com) by Adobe Experience Cloud when users interact with the Adobe Fonts management UI. Not normally set on third party sites that only embed fonts. |
| s_cc | third party | Session | Adobe Analytics session cookie used on Adobe owned properties to determine whether cookies are enabled in the browser when managing fonts. |
| demdex | third party | 180 days | Adobe Audience Manager identifier set on demdex.net when Adobe Fonts management or marketing pages are visited; not set by the font delivery itself. |
Adobe Fonts (Typekit) is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Adobe Fonts does not set long lived first party cookies for visitor tracking. However, the embed loads scripts and a pixel from typekit.net which can cause the browser to cache resources and may set short lived identifiers in some configurations. Under the ePrivacy rules, this still requires consent in most EU jurisdictions because information is being read from and stored on the user device.
In practice, yes. Adobe Fonts transmits the visitor IP address to Adobe in the United States, which qualifies as a third country transfer of personal data under the GDPR. Following the same reasoning as the Munich Google Fonts ruling, the safest position is to block Adobe Fonts until the visitor gives consent through a properly designed banner.
The recommended legal basis is consent under Article 6(1)(a) GDPR, combined with consent under Article 5(3) of the ePrivacy Directive for any data read from or written to the device. Legitimate interest is risky because the cross border transfer to the US, even under the DPF, is hard to weigh against the visitor's privacy interests in a font request that could be replaced by a self hosted alternative.
Yes. Adobe Inc. is a US company and processes Adobe Fonts requests from US infrastructure. Since July 2023, Adobe is self certified under the EU US Data Privacy Framework, which provides an adequacy decision for transfers to certified Adobe entities. Adobe also offers Standard Contractual Clauses for customers that prefer or need additional safeguards.
A standalone DPIA is generally not required for embedding Adobe Fonts on a typical informational or marketing website. The processing is limited in scope and risk. However, when Adobe Fonts is combined with broader Adobe Experience Cloud tracking or used on a high risk service (health, public authority, large scale profiling), the cumulative impact may justify documenting the assessment in a wider DPIA.
Wrap the Adobe Fonts script and CSS link in a consent gate so they only load when the user accepts the relevant category. Add Adobe Inc. to the list of recipients in your privacy policy with a description of the transfer (IP, URL, User Agent) and the SCC or DPF reliance. Declare the typekit.net domains in your cookie policy as third party resources requiring consent.
The strongest alternative for GDPR is to self host the fonts. Many open fonts (Inter, Roboto, IBM Plex, Source Sans, Public Sans) can be downloaded and served from the same domain as the site, removing the third country transfer. Some Adobe Fonts licenses also allow you to package and self serve specific font files. Google Fonts is not a better alternative because it raises the same legal questions.
Add a dedicated entry under the Functional or Preferences category. State the provider (Adobe Inc., 345 Park Avenue, San Jose, CA 95110, USA), the domains (use.typekit.net, p.typekit.net, fonts.adobe.com), the purpose (delivering web fonts and measuring usage), the transfer mechanism (EU US Data Privacy Framework or SCC) and the retention period applied by Adobe.