Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
React is the most popular JavaScript UI library, created and open sourced by Meta and maintained today by Meta plus a large community. It enables developers to build component based interfaces with hooks, virtual DOM diffing and a unidirectional data flow. React itself does not set cookies, does not call home and does not collect data. The privacy considerations on a website come from how React is delivered: bundled with the application code (no third party), or loaded from a public CDN such as unpkg, jsDelivr or cdnjs which logs the visitor IP.
React is an open source JavaScript library released by Meta in 2013 under the MIT license. It builds user interfaces from reusable components, uses a virtual DOM to compute minimal updates and exposes hooks for state management, side effects and context. React is the foundation of Next.js, Remix, Gatsby, React Native and countless internal applications. On a website React typically appears as a bundled JavaScript file produced by a tool such as Vite, Webpack, esbuild or Turbopack and served from the same origin as the HTML.
React itself does not set cookies, does not call back to Meta servers and does not collect telemetry. Server side rendering through ReactDOMServer also stays on the operator infrastructure. The library is fully self contained once it is downloaded. The only personal data exchanged with the network is the standard HTTP request that fetches the JavaScript bundle, which includes the visitor IP, the User-Agent header and TLS metadata processed by whatever host delivers the file.
Because React does not write to the user device, the strict cookie consent rule of Article 5(3) ePrivacy does not apply. However, when the React UMD build is loaded from unpkg.com, cdn.jsdelivr.net or cdnjs.cloudflare.com, the visitor IP is transmitted to the CDN. The Bonn Regional Court ruling on Google Fonts (20 January 2022) showed that European courts may consider this transmission as personal data processing that requires either consent or a documented legitimate interest. Bundling React with the application avoids the question entirely.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Production deployments almost always bundle React rather than load it from a CDN, eliminating the cross-border transfer. When a CDN is used for prototyping or documentation, Cloudflare Inc. (operator of cdnjs and a significant portion of jsDelivr and unpkg) and Fastly Inc. are both US controlled and certified under the EU-US Data Privacy Framework, providing an adequacy basis for the limited data transmitted.
Legitimate interest under Article 6(1)(f) GDPR is the standard basis for React in production: the library is bundled, served from the operator domain and indistinguishable from the rest of the application JavaScript. No specific consent is required. When the React UMD build is loaded from a public CDN, treat it like jQuery and either bundle it or integrate the script tag into the Consent Management Platform.
Bundle React with the application code through npm or yarn, deploy the resulting JavaScript on the same domain as the website or on an EU CDN such as Bunny CDN or Scaleway Edge, configure a Content Security Policy that restricts script sources, audit periodically that no developer tool re-imports React from unpkg in production, and document the framework choice in the privacy notice if cookies or data are processed by features built on top of React.
Websites using React must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not necessary for React itself. A short transfer impact assessment is recommended when React is loaded from a non-EU CDN at runtime. Document that the only data transmitted is IP and User-Agent from a static file fetch, that the CDN provider is certified under the EU-US Data Privacy Framework, and that bundling React with the application removes the transfer entirely.
Sample consent text
This website is built with the React library. React itself does not collect data or set cookies. The compiled JavaScript bundle is served from our own domain and does not contact Meta or any external service at runtime. By using this site, no consent for React is required beyond standard website operation.
Third-party domains contacted
unpkg.comcdn.jsdelivr.netcdnjs.cloudflare.comreact.devThis service may collect user data. Ensure GDPR compliance with FlowConsent.
No. React is a UI rendering library that does not set cookies, does not write to localStorage and does not collect telemetry. Any cookies on a React powered website come from other components: authentication, analytics, marketing or backend session management, not from React itself.
For a production deployment where React is bundled with the application JavaScript and served from your own domain, no specific consent is required. The script is indistinguishable from the rest of the website code. Consent considerations may apply if you load React from a public CDN such as unpkg.com or cdn.jsdelivr.net, because the visitor IP is then transmitted to a non-EU provider.
Legitimate interest under Article 6(1)(f) GDPR is the standard basis when React is bundled and self-hosted. The processing is limited to delivering the website code, which is essential to the contract or legitimate interest of operating the service. Consent is not required for the library itself.
React is an open source library; the code itself does not communicate with Meta servers after installation. Data is only transferred to the US if you serve React from a US CDN (unpkg, jsDelivr, cdnjs) instead of bundling it. Bundling React with your application removes any cross-border transfer associated with the library.
No, React alone does not trigger a DPIA requirement. Document the library as part of your general technical stack. A DPIA may be required for the features built on top of React (authentication, profiling, behavioural analytics) but not for the rendering layer itself.
Install React through npm or yarn, bundle it with the rest of the application code using Vite, Webpack, esbuild or Turbopack, deploy the static assets on your own domain or an EU CDN such as Bunny CDN or Scaleway Edge, and configure a Content Security Policy that pins the script source. Do not load React from a public CDN in production.
Alternatives include Vue.js, Svelte, SolidJS, Preact (a smaller React compatible library), Lit and Angular. For server rendered approaches, Astro, Hotwire, HTMX and Phoenix LiveView can replace much of the React surface. The right choice depends on team skills, ecosystem requirements and performance budgets.
React itself does not require a specific mention. The privacy notice should describe the rest of the JavaScript stack and any cookies set by features built on React (authentication, analytics, A/B testing). Mention any third party CDN if used in production, with the applicable transfer mechanism.