Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Bootstrap Icons is a free, open source SVG icon library maintained by the Bootstrap core team. It ships more than two thousand vector icons that can be embedded inline, used as web fonts or referenced from a CDN. Bootstrap Icons does not set cookies and does not track users, however loading the library from jsDelivr or unpkg causes the user IP address to be logged by the CDN provider, which raises GDPR and ePrivacy considerations that are usually solved by self hosting the assets.
Bootstrap Icons is a free, open source SVG icon library released under the MIT licence and maintained by the Bootstrap core team at Twitter (now X). It provides more than two thousand vector glyphs that can be embedded inline as SVG markup, used through a web font, or referenced from the public jsDelivr or unpkg content delivery networks. The library itself is pure markup and CSS, contains no JavaScript trackers and does not communicate with any analytics endpoint. It is widely used in dashboards, marketing sites and design systems built on the Bootstrap framework.
When Bootstrap Icons is self hosted on the controller infrastructure, no personal data is processed by the library. The browser simply downloads SVG or font files from the same origin as the page. When the assets are referenced from a public CDN such as cdn.jsdelivr.net or unpkg.com, the visitor IP address and standard HTTP request metadata (User Agent, Referer, timestamp) are logged by the CDN provider. The icons do not set cookies, do not write to local storage and do not fingerprint the browser.
The IP address is recognised as personal data under Art. 4(1) GDPR (see CJEU, Breyer, C 582/14). Loading the icons from a public CDN therefore triggers a processing activity even though no cookie is set. The Conseil d''Etat ruling on Google Fonts and similar national decisions (LG München I, 20 January 2022) confirm that embedding remote assets without a valid legal basis can be challenged. Article 5(3) of the ePrivacy Directive applies only to information stored or accessed on the terminal, which is generally not the case here.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Self hosted Bootstrap Icons can rely on legitimate interest under Art. 6(1)(f) GDPR since the IP address never leaves the controller, the purpose (rendering the website) is obvious and the impact on the data subject is negligible. When the icons are loaded from jsDelivr or unpkg, controllers should either obtain prior consent under Art. 6(1)(a) GDPR or replace the CDN with a self hosted copy. Most consent management platforms classify CDN delivered icons as functional but the safer path is to self host.
jsDelivr is operated by ProspectOne (Poland) but uses Cloudflare and Fastly edge nodes located across the United States and worldwide. unpkg is operated by Cloudflare in the United States. Transfers therefore fall under Chapter V GDPR and require Standard Contractual Clauses combined with the supplementary measures recommended by the EDPB after Schrems II (CJEU, C 311/18). Cloudflare and Fastly are both certified under the EU US Data Privacy Framework, which provides an adequacy decision route for transfers initiated from the EU.
Install the bootstrap icons npm package or download the release archive and serve the SVG, woff2 and CSS files from your own origin. Add a Subresource Integrity hash if you must keep the CDN reference. Document the choice in the record of processing activities, list bootstrap icons in the technical cookies section of the privacy notice for transparency, and review the integration after each major release. If consent is required because you keep the CDN reference, block the link rel stylesheet tag until the visitor accepts the functional category.
Websites using Bootstrap Icons must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA under Art. 35 GDPR is generally not required when Bootstrap Icons is self hosted on the controller infrastructure because no personal data is processed by the library itself. When the icons are loaded from a public CDN such as jsDelivr or unpkg, a record of processing activities under Art. 30 GDPR should document the transfer of the visitor IP address to the CDN operator, the legal basis, the safeguards (SCCs, EU US Data Privacy Framework where applicable) and the retention period applied by the CDN.
Sample consent text
We use the open source Bootstrap Icons library to display icons across our website. The icons are served from our own servers and do not set cookies or identifiers. If we load the icons from a public CDN, your IP address is processed by the CDN provider only for the purpose of delivering the file and is not used for advertising or profiling.
Third-party domains contacted
cdn.jsdelivr.netunpkg.comregistry.npmjs.orggithub.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| none | None | N/A | Bootstrap Icons does not set cookies or write to local storage in standard usage. When loaded from a public CDN, the CDN provider may set its own infrastructure cookies, which are out of scope of the library itself. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. Bootstrap Icons is a pure SVG and CSS asset library. It contains no JavaScript that reads cookies, no fingerprinting code and no telemetry calls. When the files are served from your own origin the only data exchanged is the HTTP request for the icon files. When the library is loaded from jsDelivr or unpkg, the CDN provider logs the visitor IP address, User Agent and Referer, which under GDPR is personal data even though no cookie is set. The mitigation is to host the assets locally rather than reference the public CDN.
When Bootstrap Icons is self hosted you do not need consent because no personal data leaves your servers and Article 5(3) ePrivacy does not apply. When the library is loaded from a public CDN, EU regulators expect either consent or a documented legitimate interest, given that the visitor IP is sent to a third party. The CNIL, the German DSK and the AEPD all consider remote font and asset loading a sensitive integration since the LG München I Google Fonts ruling of 2022. Self hosting removes the issue.
For self hosted use, the most appropriate basis is legitimate interest under Art. 6(1)(f) GDPR: rendering a website is a clear and proportionate purpose, no profile is built, and the data subject impact is negligible. A documented balancing test should be kept in the record of processing activities. For CDN use, controllers should either rely on consent under Art. 6(1)(a) GDPR or perform a stricter balancing test that accounts for the international transfer of the IP address and the lack of control over CDN logs.
Yes if you use the public CDN. jsDelivr routes traffic through Cloudflare and Fastly edges, both headquartered in the United States. unpkg is hosted entirely on Cloudflare. After Schrems II (CJEU C 311/18), transfers to the US require Standard Contractual Clauses plus supplementary measures, or reliance on the EU US Data Privacy Framework adequacy decision under which Cloudflare and Fastly are certified. If you self host the icons inside the EU or on an EU only CDN, no third country transfer occurs and these obligations fall away.
A full Data Protection Impact Assessment under Art. 35 GDPR is not required for Bootstrap Icons because the processing is low risk, limited in scope and does not involve special category data. A short notice in the Art. 30 record of processing activities is enough. If you load the library from a public CDN, the record should describe the categories of data (IP, User Agent, Referer), the recipient (Cloudflare, Fastly, ProspectOne), the legal basis, the transfer mechanism and the retention period applied by the CDN provider.
Install the npm package, copy the icons folder into your asset pipeline, or download the release zip from the official GitHub repository. Reference the local bootstrap icons.css file in your HTML head or import the SVG sprite. Add a Content Security Policy directive that allows self only, no external CDN. If a third party theme injects the CDN URL automatically, override the path or use Subresource Integrity. Mention Bootstrap Icons in the technical cookies and tools section of the privacy notice for transparency.
Other open source icon sets with similar licences include Heroicons (Tailwind Labs), Lucide (Feather fork), Phosphor Icons, Tabler Icons, Material Symbols and Remix Icon. All can be self hosted to avoid third country transfers. Closed source options like Font Awesome Pro require a licence but offer a self host package. For accessibility and performance, prefer inline SVG with an aria label or aria hidden attribute over icon fonts, which can cause flash of unstyled text and screen reader issues.
Although Bootstrap Icons does not set cookies, the privacy notice should mention it for transparency, especially if the public CDN is used. Add an entry under technical assets explaining that the library is loaded from cdn.jsdelivr.net or unpkg.com, that the IP address is processed by the CDN to deliver the file, that the legal basis is legitimate interest or consent, and that no profile is created. Update the entry whenever you switch between CDN and self hosted delivery.