Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Bootstrap is the most popular open source CSS framework, providing a responsive grid system, typography, form controls, navigation, modals and a comprehensive set of utility classes. Originally released by Twitter and maintained today by an independent team, Bootstrap also ships an optional JavaScript bundle for interactive components such as dropdowns, tabs and collapsible panels. Bootstrap itself does not set cookies. The privacy considerations come from how the framework is delivered: bundled in the application or loaded from cdn.jsdelivr.net.
Bootstrap is a CSS framework released in 2011 by Mark Otto and Jacob Thornton at Twitter and now maintained by an independent open source team. It provides a 12 column responsive grid, typography scale, button, form, navigation, card, modal and alert components, plus utility classes for spacing, color and typography. An optional JavaScript bundle adds dropdowns, tooltips, popovers, carousels and collapsible panels. On a website Bootstrap appears as a CSS file plus an optional JavaScript file, served from the same domain or from cdn.jsdelivr.net.
Bootstrap does not set cookies, does not write to localStorage and does not perform any tracking. The CSS file is static. The optional JavaScript only manipulates the DOM in response to user clicks. The only data exchanged with the network is the HTTP request that downloads the files from the hosting CDN.
Bootstrap does not store information on the user device, so the strict consent rule of Article 5(3) ePrivacy does not apply. However, requesting the CSS or JavaScript from jsDelivr transmits the visitor IP to a non-EU operator. The Bonn Regional Court ruling on Google Fonts shows that this transmission may require a clear legal basis or consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
cdn.jsdelivr.net is the default Bootstrap CDN. It runs on Cloudflare Inc. and Fastly Inc., both US controlled and certified under the EU-US Data Privacy Framework. Self-hosting on an EU server, or using an EU specific CDN such as Bunny CDN or Scaleway Edge, removes the cross-border transfer.
For self-hosted Bootstrap, legitimate interest (Article 6(1)(f) GDPR) is the standard basis. For CDN delivery, gather opt-in consent through a Consent Management Platform before requesting the file, or document a legitimate interest assessment that demonstrates data minimisation and EU-US Data Privacy Framework adequacy.
Install Bootstrap through npm and bundle the CSS with PostCSS or Sass and the JavaScript with the rest of the application code. Serve the resulting files from your own domain or an EU CDN. Add Subresource Integrity hashes and a Content Security Policy. Document the framework in the privacy notice if the optional JavaScript components are loaded from a public CDN.
Websites using Bootstrap must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not necessary for Bootstrap. A short transfer impact assessment is enough when the framework is loaded from jsDelivr or another non-EU CDN, documenting that only IP and User-Agent are transmitted and that self-hosting eliminates the transfer.
Sample consent text
This website uses the Bootstrap CSS framework. Bootstrap itself does not set cookies and does not collect data. The compiled CSS and optional JavaScript are served from our own domain. No specific Bootstrap consent is required.
Third-party domains contacted
cdn.jsdelivr.netcdnjs.cloudflare.comgetbootstrap.comunpkg.comThis service may collect user data. Ensure GDPR compliance with FlowConsent.
No. Bootstrap is a CSS framework with optional JavaScript components and sets no cookies, uses no localStorage and performs no tracking.
Self-hosted Bootstrap needs no specific consent. Loading from jsDelivr or another non-EU CDN may require consent because the visitor IP is transmitted to a US provider.
Legitimate interest under Article 6(1)(f) GDPR when self-hosted. With a public CDN, gather opt-in consent or document a legitimate interest assessment.
Only when loaded from cdn.jsdelivr.net (Cloudflare and Fastly) or cdnjs.cloudflare.com. Self-hosting on an EU server eliminates the transfer.
No. A short transfer impact assessment is enough for the public CDN scenario.
Install via npm, bundle the CSS and optional JavaScript with the rest of the application, serve from your own domain or an EU CDN, add Subresource Integrity hashes and configure a Content Security Policy.
Tailwind CSS, Bulma, Foundation, UIKit, Pico CSS, Beer CSS, Open Props for CSS only, and component libraries such as Shoelace, Material Web Components and Spectrum CSS.
Self-hosted Bootstrap requires no mention. With a third party CDN, list the provider, the IP transfer on each load and the applicable EU-US Data Privacy Framework or Standard Contractual Clauses basis.