Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
IBM Carbon Design System is an open source design system maintained by IBM that provides ready to use UI components, CSS, icons and web fonts for building accessible web interfaces. It is most often consumed as static assets through a public CDN or installed via npm and self-hosted. Carbon itself does not set tracking cookies, but loading the bundle from a third party CDN exposes the visitor's IP address to the CDN provider and can introduce data transfer questions.
The IBM Carbon Design System is an open source design system maintained by IBM and a wide community of contributors. It provides a coherent set of accessible UI components (buttons, inputs, modals, tables, data visualisation widgets), a CSS framework, icons, illustrations, the IBM Plex web font and React, Angular, Vue and Web Component implementations. Carbon is used by IBM products, partners and many third party teams that want a robust accessibility-first foundation without building one from scratch. The system is delivered either via npm packages installed in a build pipeline or via prebuilt bundles served from a CDN.
Carbon as a library does not set cookies, fingerprint visitors or send analytics events. The only data exchange triggered by Carbon itself is the technical HTTP request that downloads its CSS, JavaScript, font and icon files, plus the regular caching headers. However, every HTTP request inherently transmits the visitor''s IP address, user agent, referer and request timing to the server that delivers the file. When that server is a third party CDN, the CDN operator becomes a data recipient and may keep access logs, set its own analytics cookies or apply security challenges.
If Carbon assets are self-hosted on your own infrastructure, the processing is limited to the strictly necessary technical loading of resources you control. Article 5(3) ePrivacy does not require consent for purely technical operations strictly necessary for a service requested by the user, and legitimate interest under Article 6(1)(f) GDPR is generally a defensible legal basis. If Carbon is loaded from a third party CDN, the publisher must additionally evaluate whether the CDN itself meets GDPR standards, whether it sets cookies that fall outside the strictly necessary exemption and how it logs visitor IPs.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The most popular public CDNs (unpkg routed through Cloudflare, jsDelivr routed through Fastly and Cloudflare, IBM-hosted endpoints on IBM Cloud) all involve US-headquartered operators with global edge networks. Following the Schrems II ruling and the entry into force of the EU US Data Privacy Framework, transfers can be lawful where the recipient is certified under the DPF, but the publisher must verify the certification, document the transfer in the record of processing activities and consider whether the IP address logged at the edge can be linked back to an identifiable visitor. Self-hosting Carbon, or using an EU based mirror, removes the transfer entirely.
For most production websites the recommended pattern is to install Carbon via npm, bundle it with your application code and serve the resulting assets from the same origin as the rest of the site, behind your normal CDN or web server. This removes any third party transfer specific to Carbon and avoids dependency on an external uptime. If you must use a public CDN, prefer one with a documented EU presence and DPF certification, add Subresource Integrity hashes to the script and link tags, and disclose the CDN in your privacy notice. Carbon itself remains compliance-friendly because it is a passive set of UI primitives.
Websites using IBM Carbon Design System must obtain user consent under GDPR regulations.
DPIA considerations
A full Data Protection Impact Assessment is generally not required for self-hosted Carbon assets, as the processing is limited to the technical delivery of UI resources and presents minimal risk to data subjects. If Carbon is loaded from a third party CDN such as unpkg or jsDelivr, you should perform a documented transfer risk assessment for that CDN, list it in your record of processing activities and review whether the CDN sets its own cookies. The decisive factor is the CDN choice, not Carbon itself.
Sample consent text
This website uses the IBM Carbon Design System to render its user interface. Carbon is loaded from our own servers and does not place cookies on your device. Some font files and icons may be cached by your browser for performance. No personal data is shared with IBM or any third party as a result of using Carbon on this page.
Third-party domains contacted
carbondesignsystem.comunpkg.comcdn.jsdelivr.net1.www.s81c.comThis service may collect user data. Ensure GDPR compliance with FlowConsent.
No. Carbon is a passive library of UI components, CSS and assets. It does not set cookies, run analytics or fingerprint visitors. The only cookies that can appear in connection with Carbon come from the CDN that delivers the files (for example, Cloudflare or Fastly security cookies on unpkg or jsDelivr), or from your own application code that happens to use Carbon components.
If Carbon is self-hosted on your own domain, no consent banner is needed for the assets themselves: loading them is strictly necessary for rendering the requested page. If you load Carbon from a third party CDN that may set cookies or profile visitors, you should at least disclose this in your privacy notice and, depending on the CDN, gate it behind consent.
Self-hosted Carbon resources fall under the strictly necessary exemption of Article 5(3) ePrivacy and can rely on legitimate interest under Article 6(1)(f) GDPR for any limited log data they generate. CDN delivered Carbon raises an additional question: the CDN provider becomes a recipient, so you may need to add its processing in your record and, if it sets non-essential cookies, obtain consent under Article 5(3) ePrivacy.
Public CDNs use global edge networks. unpkg routes through Cloudflare, jsDelivr through Fastly and Cloudflare, and IBM-hosted endpoints through IBM Cloud. EU visitors will usually be served from an EU edge, but the CDN operator is US headquartered and request logs may be replicated to other regions. This makes each CDN a third country transfer to assess unless the operator is DPF certified or you self-host.
A formal Data Protection Impact Assessment is not required for self-hosted Carbon, since the processing is limited to the technical delivery of UI resources with negligible risk to data subjects. If you load Carbon from a third party CDN, a short transfer impact assessment for the CDN is sensible, but a full DPIA under Article 35 GDPR is typically disproportionate.
Install Carbon via npm or yarn, include it in your application bundle and serve everything from the same origin (or your own CDN). Avoid linking directly to unpkg, jsDelivr or other shared CDNs in production. Pin a specific version, ship integrity hashes, and keep dependencies up to date. This combination eliminates the third party transfer questions and keeps Carbon as close to a no-impact dependency as possible.
European or open source design systems that ship without third party calls include Material UI when self-hosted, Bootstrap, Bulma, Tailwind plus headless component libraries such as Radix UI or Headless UI. None of these alter the GDPR balance of your site by themselves, provided you ship their assets from your own origin. Carbon remains an attractive option thanks to its accessibility focus.
If Carbon is self-hosted and you do not load any third party assets, there is nothing specific to add about Carbon. If you load Carbon from unpkg, jsDelivr or another third party CDN, mention the CDN in your cookie policy and privacy notice, indicate the categories of data shared (IP, request metadata), the destination country and the legal basis. Review this entry whenever you change CDN.