Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Hosted webfont service from Hoefler & Co that delivers a project specific CSS bundle and WOFF/WOFF2 font files from US servers, transmitting visitor IP addresses on every page load.
Cloud.typography is the hosted webfont service operated by Hoefler & Co, the US type foundry behind families such as Gotham, Whitney, Sentinel and Mercury. Subscribers license fonts through the typography.com customer portal and receive a project specific CSS bundle hosted on Hoefler infrastructure. A website embeds that bundle with a single link tag, after which the visitor browser fetches both the CSS and the WOFF or WOFF2 font files directly from cloud.typography.com (often fronted by Fastly or Cloudflare). No JavaScript runs and no cookies are set by default, but every page view triggers a passive request to a third party server in the United States.
By default Cloud.typography does not set any cookies in the visitor browser and does not run client side scripts. The privacy footprint is the data automatically included in every HTTP request that fetches the CSS bundle or a font file: the visitor IP address, the User Agent string identifying browser and operating system, the Referer header revealing which page on the website triggered the load, and standard timing metadata at the CDN edge. These items are logged by Hoefler & Co and any intermediate CDN (Fastly, Cloudflare) for security, abuse prevention and billing usage statistics tied to the project domain.
Under the GDPR the IP address is personal data and the transmission to a US server is a processing activity carried out under the website operator responsibility. Under Article 5(3) of the ePrivacy Directive, downloading a CSS file is itself a storage of information on the user device, which means strict reading aligns hosted fonts with cookie like rules. The Landgericht München I judgment of 20 January 2022 (3 O 17493/20) on Google Fonts is the leading authority: it ruled that forwarding a visitor IP to a US server without consent breached the GDPR and awarded EUR 100 in non material damages. Cloud.typography follows the exact same delivery pattern and is therefore exposed to the same legal reasoning.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Following the LG München I logic, the safest legal basis for loading Cloud.typography is explicit prior consent under Article 6(1)(a) GDPR, paired with the Article 5(3) ePrivacy consent that German TDDDG Section 25 also requires for any non strictly necessary access to the terminal equipment. Legitimate interest under Article 6(1)(f) is sometimes invoked, but the Munich court rejected it for hosted Google Fonts because a self hosted alternative existed. The consent banner must therefore block the link tag until the visitor agrees, and a documented opt out must restore system fonts as a fallback. Pure information notices in the privacy policy are not sufficient.
Every Cloud.typography request crosses into the United States, which makes Chapter V GDPR transfer rules applicable. The website operator must rely on the EU US Data Privacy Framework (if Hoefler & Co is certified) or on Standard Contractual Clauses with a Transfer Impact Assessment, plus supplementary measures such as IP truncation requests where supported. The key practical difficulty is that Hoefler & Co does not generally allow self hosting of the font files under the standard Cloud.typography subscription, so operators wanting to fully remove the US transfer must either negotiate a self hosting license, switch foundries (Klim, Grilli, Bunny Fonts, Fontshare, self hosted Google Fonts) or gate the font load behind a granular consent flow.
Websites using Cloud.typography must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is usually not required for Cloud.typography on a standard website because no behavioural tracking occurs, but a record of processing activities and a Transfer Impact Assessment (TIA) should document the systematic transmission of visitor IP addresses to Hoefler & Co servers in the United States. The LG München I judgment of 20 January 2022 (3 O 17493/20) on Google Fonts is the direct legal benchmark: the court awarded damages because the website operator forwarded the visitor IP to a US server without consent, and the same passive transmission pattern applies here. Document the lawful basis chosen (consent is safer than legitimate interest after that ruling), the SCCs and supplementary measures negotiated with Hoefler & Co, and any residual risk for visitors located in Germany or other strict member states.
Sample consent text
We use Cloud.typography, a hosted webfont service operated by Hoefler & Co (United States), to display the typefaces on this site. When you load a page, your browser fetches a CSS file and font files from servers in the United States, which transmits your IP address, browser User Agent and Referer to Hoefler & Co and its CDN providers. With your consent we will enable this font delivery. Without consent we will fall back to system fonts. You can change your choice at any time in the cookie settings.
Third-party domains contacted
typography.comcloud.typography.comcdn.typography.comcloud.typography.com/cdnhoeflerco.comfastly.netcloudflare.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| (no first party cookie set by Cloud.typography) | none | n/a | Cloud.typography does not set any cookies in the visitor browser by default. The CSS bundle and WOFF/WOFF2 files are delivered without cookie headers; the privacy footprint is limited to the IP address, User Agent and Referer transmitted with each HTTP request. |
| browser font cache (HTTP Cache Control) | browser cache | up to 1 year per Cache Control max age | WOFF/WOFF2 font files and the project CSS are cached locally by the browser using standard HTTP Cache Control headers to reduce repeat requests. This is not a cookie but it is the main client side persistence introduced by the service. |
| Fastly or Cloudflare edge cookies (conditional) | third party CDN | session to 1 year depending on CDN configuration | When Cloud.typography is fronted by Fastly or Cloudflare, those CDNs may set their own operational cookies (for example __cf_bm bot management or routing cookies) when challenging suspicious traffic. Exact names depend on the CDN configuration negotiated by Hoefler & Co. |
| typography.com session cookies (admin portal only) | first party (admin) | session | When a customer logs into the typography.com customer dashboard to manage projects, session cookies are set on the typography.com domain. These are not exposed to website visitors and only affect logged in subscribers managing their account. |
Cloud.typography is an essential service, but transparency matters. Manage all your consent with FlowConsent.
None by default. Cloud.typography delivers a CSS file and WOFF/WOFF2 font files without any cookies or JavaScript identifiers. The privacy issue is the IP address, User Agent and Referer header that every browser request transmits to Hoefler & Co servers in the United States and to any intermediate CDN such as Fastly or Cloudflare.
Yes under the strict reading. The LG München I judgment of 20 January 2022 on Google Fonts treats forwarding a visitor IP to a US server as personal data processing that needs prior consent. Cloud.typography uses the same delivery pattern, so the safest implementation is to block the font link tag until the visitor agrees.
Consent under Article 6(1)(a) GDPR is the safest basis after the Munich ruling. Legitimate interest under Article 6(1)(f) is sometimes argued but was rejected by the court for hosted Google Fonts because a self hosted alternative existed. The same reasoning extends to Cloud.typography.
Yes. Hoefler & Co is a United States company and its CDN edges (Fastly, Cloudflare) also route traffic through the US. Every page view transmits the visitor IP, User Agent and Referer to those servers, so Chapter V GDPR rules apply: SCCs, the EU US Data Privacy Framework if certified, and a Transfer Impact Assessment.
A full DPIA is usually not required for fonts only loading because there is no behavioural tracking, but a record of processing activities and a Transfer Impact Assessment are recommended. Document the legal basis, the SCCs with Hoefler & Co and any residual risk for visitors in strict member states such as Germany.
Gate the font link tag behind a granular consent option and fall back to system fonts when the visitor refuses. Update the privacy policy with the LG München I context and the US transfer. The key constraint is that Hoefler & Co does not generally allow self hosting under the standard subscription, so a self hosting license must be negotiated separately if needed.
Yes. EU based Bunny Fonts, self hosted Google Fonts, Fontshare from Indian Type Foundry, Klim Type Foundry self hosted licenses, Adobe Fonts (still US hosted with similar concerns) and self hosted licensed fonts from independent foundries. Some customers also approach Hoefler & Co for a custom self hosting license.
Add a section explaining that the site loads webfonts from Hoefler & Co (Cloud.typography) in the United States, list the data transmitted (IP, User Agent, Referer), reference the LG München I ruling for context, name the transfer mechanism (SCCs or EU US DPF) and provide a clear link to withdraw consent at any time.