Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Materialize CSS is an open-source front-end framework built around Google Material Design. It ships as static CSS and JavaScript files that publishers can bundle locally or load from a public CDN such as cdnjs, jsDelivr or unpkg. The library itself does not store cookies or fingerprint visitors, but loading it from a third-party CDN transmits IP and User-Agent data to that provider, which raises GDPR and ePrivacy considerations similar to the Google Fonts ruling.
Materialize CSS is an open-source front-end framework that implements the Material Design specification published by Google. It bundles a stylesheet, a JavaScript file and a small set of icon and font dependencies. Publishers integrate the framework by either downloading the files and serving them from their own infrastructure, or by referencing one of the public CDNs that mirror the package, such as cdnjs, jsDelivr or unpkg. The runtime behaviour is purely presentational: layout grids, form controls, modals and ripple effects are rendered locally in the browser without any server callback.
The framework itself does not set cookies, does not read localStorage and does not perform any background HTTP request to its maintainers. The only personal data that reaches a remote party is the standard HTTP envelope (IP address, User-Agent, Referer) sent to whichever server delivers the static assets. When the publisher self-hosts the files, that server is the publisher own infrastructure and no third party is involved. When a public CDN is used, the visitor browser opens a TLS connection to the CDN operator and these technical attributes are transmitted to it.
Because no information is stored in or read from the terminal device, Article 5(3) of the ePrivacy Directive does not directly require consent for the framework itself. The CJEU Google Fonts case decided by the Munich Regional Court (LG Munich 3 O 17493/20) nevertheless established that automatic transmission of an IP address to a Google server, without the explicit knowledge of the visitor, constitutes a violation of the right to informational self-determination when no overriding legitimate interest is documented. The reasoning extends by analogy to any third-party CDN delivery of static assets, including Materialize CSS files loaded from cdnjs or unpkg.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The main public CDNs that distribute Materialize CSS are operated by Cloudflare (cdnjs and unpkg) and Fastly or Cloudflare (jsDelivr). All of them maintain points of presence in the United States and route traffic through globally distributed edge nodes. From a GDPR Chapter V perspective, this counts as a transfer to a third country whenever an EU visitor reaches a non EU edge. Most providers are certified under the EU US Data Privacy Framework, which provides an adequacy basis under the July 2023 Commission decision. Standard Contractual Clauses remain the fallback safeguard for jurisdictions outside the framework.
For a self-hosted deployment, the legal basis is straightforward legitimate interest under Article 6(1)(f) and no specific consent banner is needed. For CDN-based delivery, regulators in Germany, France and Italy have signalled that prior consent is the safer route, especially after the Google Fonts case. A formal DPIA under Article 35 is not mandatory, but a documented balancing test and a transfer impact assessment are strongly recommended whenever the framework is loaded from outside the European Economic Area.
The most defensible posture is to bundle the Materialize CSS files inside the publisher own deployment pipeline, served from the same domain as the rest of the site. This eliminates third-party transfers, preserves performance through HTTP/2 multiplexing and removes the need for a consent dialog dedicated to the framework. If CDN delivery is preferred for caching reasons, an EU based CDN (BunnyCDN, KeyCDN, Scaleway Edge) keeps traffic inside the EEA. Open alternatives in the same design space include MUI, Bootstrap Material, Materialize.css forks maintained by the community and the official Material Web Components.
Websites using Materialize CSS must obtain user consent under GDPR regulations.
DPIA considerations
A formal DPIA under Article 35 GDPR is generally not required for Materialize CSS because the library processes no personal data beyond what any HTTP request already entails. However, when the framework is loaded from a public CDN, a balancing test under Article 6(1)(f) and a transfer impact assessment should be documented. The assessment should compare self-hosted delivery against CDN delivery and justify the choice based on performance, security and privacy criteria.
Sample consent text
This site uses the Materialize CSS framework for visual presentation. When the library is loaded from the cdnjs network, your browser shares its IP address and User-Agent with the CDN operator. No tracking cookies are set. You can disable third-party CDN delivery in the cookie settings, in which case the framework will be served from our own servers.
Third-party domains contacted
cdnjs.cloudflare.comcdn.jsdelivr.netunpkg.comfonts.googleapis.comThis service may collect user data. Ensure GDPR compliance with FlowConsent.
No. The Materialize CSS framework is a static collection of CSS rules, JavaScript components and icon fonts. It does not call any backend service, does not write to document.cookie and does not access localStorage. The only network traffic it generates is the initial download of its asset files. If you self-host these files, no third party ever sees the visitor.
No when the framework is served from your own domain: there is no third-party processing, no terminal storage and no tracking. Yes (or a robust legitimate interest analysis) when the framework is loaded from a public CDN such as cdnjs, jsDelivr or unpkg, because the visitor IP is then transmitted to a third-party provider that may host servers in the United States.
Self-hosted, the lawful basis is legitimate interest under Article 6(1)(f) GDPR: the framework simply renders the interface, no personal data is processed beyond server log entries. CDN-hosted, you must choose between consent (Article 6(1)(a) plus Article 5(3) ePrivacy) or a documented legitimate interest that withstands the Google Fonts case law, ideally backed by a balancing test and a transfer impact assessment.
Self-hosting from EU servers means no transfer. Loading from cdnjs, jsDelivr or unpkg routes the request through globally distributed networks operated by Cloudflare or Fastly, with infrastructure in the United States and other third countries. Most operators are certified under the EU US Data Privacy Framework, which provides an adequacy basis, but SCCs should be ready as a fallback.
In most situations no. The processing is limited to delivering static visual assets, the data involved is minimal and the risks to data subjects are low. A formal DPIA under Article 35 GDPR is reserved for high risk processing. A short risk note, a balancing test and a transfer impact assessment for the CDN scenario are nevertheless prudent housekeeping documents.
Bundle the materialize.min.css and materialize.min.js files inside your build pipeline, commit them to your asset folder and serve them from the same hostname as the site. Mirror the Material Icons font locally too. This removes any third-party connection, simplifies Content Security Policy and avoids the need for a dedicated consent banner.
Among open frameworks with comparable scope, MUI offers a polished Material Design React library, Bootstrap Material reuses the popular Bootstrap grid, and the Material Web Components are maintained by the Material team itself. All of them can be self-hosted from EU infrastructure. Tailwind CSS combined with daisyUI is another lightweight option that keeps all assets local.
If you self-host the files, only a short technical mention is needed and no cookie banner change is required. If you rely on a public CDN, add a line to your cookie or privacy policy describing the CDN provider, the categories of data exchanged (IP, User-Agent), the legal basis used and the data transfer mechanism (DPF or SCCs). Review this notice each time you change CDN provider.