Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
jQuery is the most widely deployed JavaScript library on the web, used by an estimated 70 percent of the top one million websites. It simplifies DOM manipulation, event handling, animations and AJAX requests with a concise chainable API. jQuery itself does not set any cookies. The GDPR question is not the library but where it is loaded from: a self-hosted file raises no third party concern, while loading from code.jquery.com, ajax.googleapis.com or cdnjs.cloudflare.com transmits the visitor IP to a US controlled content delivery network.
jQuery is an open source JavaScript library maintained by the OpenJS Foundation. It exposes a small, chainable API that smooths out browser inconsistencies for DOM manipulation, event binding, animations and AJAX. On a website jQuery appears as a single .js file declared in a script tag, either bundled with the rest of the JavaScript (self-hosted) or fetched from a public CDN such as code.jquery.com, ajax.googleapis.com or cdnjs.cloudflare.com.
jQuery itself stores nothing on the device. It does not set cookies, does not write to localStorage, does not fingerprint the browser. The only personal data involved is the standard HTTP request to fetch the script: the visitor IP address, the User-Agent header, the referring page URL and TLS metadata. That data is processed by the CDN that hosts the file, not by jQuery as a software component.
Loading a script does not store information on the user device, so the strict cookie consent rule of Article 5(3) ePrivacy Directive does not apply per se. However, the request itself transmits the IP address to the third party CDN, which is personal data under the GDPR. The Bonn Regional Court ruling of 20 January 2022 on Google Fonts confirmed that this transmission requires either a clear legal basis or prior consent. The same logic applies to any external CDN used to deliver jQuery.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All three major public jQuery CDNs are US controlled. code.jquery.com is operated by the OpenJS Foundation through StackPath / Edgio infrastructure, ajax.googleapis.com is part of Google global infrastructure, and cdnjs.cloudflare.com runs on Cloudflare. Even when the response is served from a European edge node, the provider remains subject to US law. Google LLC and Cloudflare Inc. are certified under the EU-US Data Privacy Framework, which provides an adequacy basis for the transfer; the jQuery Foundation CDN relies on Standard Contractual Clauses.
For self-hosted jQuery, legitimate interest under Article 6(1)(f) GDPR is sufficient since no third party receives data. When using a public CDN, the operator must either obtain prior opt-in consent before the script tag is rendered, or document a strong legitimate interest balanced against the visitor right to data protection. The safest option for European websites is to self-host the file or to use an EU CDN such as Bunny CDN, KeyCDN or Scaleway Edge.
Audit every page for jQuery script tags pointing to a third party origin, download the matching version, host it on the same domain or on an EU CDN, add a Subresource Integrity hash to the script tag for security, document the choice in the privacy notice, and remove the dependency on code.jquery.com or googleapis.com if user consent is not collected. Where consent is preferred, integrate the script load into the Consent Management Platform so it only fires after opt-in.
Websites using jQuery must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required when jQuery is self-hosted from the same origin as the website. A short transfer impact assessment is recommended when the library is loaded from a non-EU CDN, documenting the data minimisation (only IP and User-Agent), the certification of the CDN provider under the EU-US Data Privacy Framework, and the option to self-host or switch to a strictly EU CDN.
Sample consent text
This website loads jQuery from an external content delivery network. When the script is fetched, your IP address and browser information are transmitted to the CDN provider. By clicking Accept, you authorise this technical request. You can also choose Reject and the website will load a self-hosted version of jQuery from our own domain.
Third-party domains contacted
code.jquery.comajax.googleapis.comcdnjs.cloudflare.comjquery.comThis service may collect user data. Ensure GDPR compliance with FlowConsent.
No. The jQuery library does not set cookies, does not write to localStorage and does not fingerprint the browser. It is a pure DOM and AJAX helper. The only data exchanged with the network is the HTTP request that downloads the script file, which includes the visitor IP, User-Agent and referrer headers handled by the hosting CDN.
When jQuery is self-hosted from the same domain as the website, no consent is needed. When loaded from a third party CDN such as code.jquery.com, ajax.googleapis.com or cdnjs.cloudflare.com, the visitor IP is transmitted to a non-EU provider. Following the Bonn Regional Court ruling on Google Fonts, this transfer can require prior consent unless self-hosting or an EU CDN is used.
Legitimate interest under Article 6(1)(f) GDPR is sufficient for self-hosted jQuery. For third party CDN loading, either gather prior opt-in consent (Article 6(1)(a)) or rely on a documented legitimate interest with proper transfer impact assessment and clear privacy information.
Yes when a public CDN is used. code.jquery.com, ajax.googleapis.com and cdnjs.cloudflare.com are operated by US controlled entities. Google LLC and Cloudflare Inc. are certified under the EU-US Data Privacy Framework. To eliminate the transfer entirely, host the script on your own EU based server.
No, jQuery alone does not justify a DPIA. A short transfer impact assessment is enough when an external CDN is used. Only embed the assessment in a broader DPIA if jQuery is combined with high risk processing in the same site.
Self-host the jQuery file from your own domain or an EU based CDN, add a Subresource Integrity hash and a Content Security Policy that pins the source, document the choice in the privacy notice and audit periodically that no third party tag silently re-imports jQuery from a US CDN.
Modern browsers support most of what jQuery provides natively: document.querySelector, addEventListener, fetch and the Web Animations API replace nearly all common jQuery patterns. Lightweight alternatives include Cash, Zepto.js and umbrella.js. For new projects, a framework such as Alpine.js, Stimulus, Vue or React often supersedes jQuery.
If jQuery is self-hosted, no specific mention is required. If a third party CDN is used, list the CDN provider, describe that the visitor IP is transmitted on each page load, mention the EU-US Data Privacy Framework or Standard Contractual Clauses applicable, and link to the CDN provider privacy policy.