Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Tailwind CSS CDN refers to the Tailwind Play CDN published by Tailwind Labs Inc., a US company, and to the public CDN endpoints (cdn.tailwindcss.com, jsDelivr, unpkg) that serve the framework as a single CSS or JavaScript file. The CDN does not set cookies by itself, but every request exposes the visitor IP address, user agent and referrer to the edge node, which may be operated by Cloudflare or Fastly outside the EEA.
Tailwind CSS is a utility first CSS framework published by Tailwind Labs Inc., a US company headquartered in California. Tailwind CSS CDN designates the option of loading the framework directly from a content delivery network instead of bundling it into the site build. The two most common endpoints are the official Tailwind Play CDN at cdn.tailwindcss.com and the third party mirrors at jsDelivr (cdn.jsdelivr.net) and unpkg (unpkg.com), which serve the npm package tailwindcss as a single CSS or JavaScript file.
In all three cases the visitor browser makes an HTTP GET request to a third party origin. The CDN does not register any service worker, does not run analytics scripts of its own and does not set cookies on the visitor terminal.
Even without cookies, every CDN request exposes the IP address of the visitor, the user agent string, the language headers, the referrer header (the page on your site that triggered the request) and the timestamp to the edge node. jsDelivr is operated by Prospect One Sp. z o.o. (Poland) and is fronted by Cloudflare, Fastly and Bunny CDN. unpkg is run by Cloudflare from the United States. cdn.tailwindcss.com is also fronted by Cloudflare.
Under the CJEU Breyer ruling and the EDPB guidelines, the visitor IP is personal data, and the edge log is therefore a processing of personal data within the scope of the GDPR.
Because the CDN does not read or write information on the visitor terminal beyond the HTTP cache (no cookies, no localStorage, no fingerprinting), Article 5(3) of the ePrivacy Directive is not triggered and prior consent is not required. The processing of the IP at the edge falls under Article 6(1)(f) GDPR (legitimate interest in delivering the requested CSS file). The German Telekom Deutschland judgment (C 252/21) and the various national DPA decisions on Google Fonts confirm that a CDN call should be transparent and, where possible, minimised or self hosted.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The transfer risk depends on which CDN ultimately answers the request. Tailwind Labs (cdn.tailwindcss.com) and unpkg are US operated and Cloudflare and Fastly serve traffic from edge nodes worldwide including the United States. Even when the closest edge sits in Europe, the operator headquarters in the US can in theory be compelled to access logs. Rely on the EU US Data Privacy Framework where Cloudflare and Fastly are certified, on Standard Contractual Clauses otherwise, and consider self hosting the production CSS bundle to avoid the cross border flow altogether.
The Tailwind Play CDN is explicitly intended for prototyping. For production, run the Tailwind CLI or PostCSS build locally, generate a purged CSS file and ship it from your own origin. This eliminates the third party CDN call entirely, removes the Schrems II analysis and improves caching control. If you must keep the CDN, pin a specific version (for example cdn.jsdelivr.net/npm/[email protected]) and disclose the CDN call in your privacy notice.
List the CDN endpoint in your privacy notice as a recipient of the visitor IP, document the legitimate interest balancing test, and explain why the request is not gated behind a cookie banner (no cookies are set). Add a Content Security Policy directive that restricts script and style sources to your origin plus the chosen CDN, set Subresource Integrity on the script tag, and monitor the dependency for security updates. For sites with high privacy requirements, self host the compiled CSS and remove the third party request.
Websites using Tailwind CSS CDN must obtain user consent under GDPR regulations.
DPIA considerations
The Tailwind CSS Play CDN is a low risk component because it does not set cookies and does not collect personal data beyond the standard server log (IP, user agent, referrer). A DPIA is not normally required. However, document the choice of CDN (cdn.tailwindcss.com, jsDelivr or unpkg) in the record of processing, note the legitimate interest assessment for the IP exposure to the edge operator, list the third country to which IPs may be exposed (mostly the United States via Cloudflare or Fastly) and consider self hosting the production build to avoid third party requests altogether.
Sample consent text
This website loads the Tailwind CSS framework from a public CDN (cdn.tailwindcss.com, jsDelivr or unpkg). The CDN edge sees your IP address and your browser user agent and processes them under our legitimate interest in delivering the page styling. The CDN does not set cookies. You can read more in our privacy notice.
Third-party domains contacted
cdn.tailwindcss.comcdn.jsdelivr.netunpkg.comtailwindcss.comregistry.npmjs.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| none | None | N/A | The Tailwind CSS Play CDN does not set any cookies on the visitor terminal. It is a static CSS or JavaScript asset served over HTTPS, with no service worker, no localStorage entry and no fingerprinting. The only persistent state is the standard HTTP cache controlled by the browser. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
The Tailwind CSS CDN does not set cookies, does not register a service worker, does not run analytics scripts and does not store anything in localStorage. The only data it processes is the standard server log generated by the HTTP request: the visitor IP address, the user agent, the language headers, the referrer (the URL of your page) and the timestamp. This log is held by the edge operator (Cloudflare, Fastly, Bunny CDN), by the CDN platform (jsDelivr, unpkg or cdn.tailwindcss.com) and by Tailwind Labs Inc. when the official endpoint is used.
Article 5(3) of the ePrivacy Directive only triggers a consent requirement when the service reads or writes information on the user terminal beyond what is strictly necessary. The Tailwind CSS CDN does neither (no cookies, no localStorage, no fingerprinting), so it does not need a cookie banner consent. The processing of the IP at the edge still falls under the GDPR, but it can be justified by legitimate interest (Art. 6(1)(f)) in delivering the requested CSS. The CDN call must, however, be disclosed in the privacy notice.
The IP exposure to the CDN edge is processed under Article 6(1)(f) GDPR, legitimate interest in delivering the page styling to the visitor browser. Document the balancing test in your record of processing: necessity (no first party copy available without extra build steps), reasonable expectations of the visitor (loading remote assets is standard web behaviour) and minimisation (the request only carries technical headers, no personal identifiers beyond the IP and user agent).
Often, yes. Tailwind Labs (cdn.tailwindcss.com), unpkg, Cloudflare and Fastly are US companies, even if their edge nodes are distributed globally. A request that terminates at a European edge may still result in log replication to the US headquarters. Document the transfer in your record of processing, rely on the EU US Data Privacy Framework where the operator is certified, otherwise on Standard Contractual Clauses, and consider self hosting the production CSS bundle to remove the transfer entirely.
No, a DPIA is generally not required for a static CSS asset served by a public CDN. The processing has a low risk profile: no cookies, no profiling, no special category data and only standard server log items. A DPIA only becomes necessary when the CDN call is bundled with other higher risk processing (for example a large scale tracking solution from the same vendor) or when your sector regulator imposes a default DPIA for any US transfer.
Either move to the production workflow (Tailwind CLI or PostCSS build, then serve a purged CSS file from your own origin) or, if you keep the CDN, pin a specific version and add a Subresource Integrity hash to the script tag. Configure a Content Security Policy that restricts style sources to your origin plus the chosen CDN. Disclose the CDN call in the privacy notice with the recipient operator (Cloudflare, Fastly, Tailwind Labs) and the legitimate interest justification.
The recommended alternative is self hosting: run the Tailwind CLI or PostCSS build at deploy time, generate a CSS file containing only the classes you actually use, and serve it from the same origin as the rest of the site. This removes the third party CDN call entirely. If you must keep a CDN, prefer a jsDelivr or unpkg pinned version with Subresource Integrity, or use a European CDN such as BunnyCDN with EU only point of presence and a documented sub processor list.
Add a brief paragraph that names the CDN endpoint actually used (cdn.tailwindcss.com, cdn.jsdelivr.net or unpkg.com), the operator (Tailwind Labs Inc., Prospect One Sp. z o.o. for jsDelivr, Cloudflare Inc. for unpkg and the front edges), the categories of data processed (IP, user agent, referrer, timestamp), the legal basis (Art. 6(1)(f) GDPR legitimate interest), the absence of cookies and the international transfer mechanism (DPF or SCCs). State the retention period at the CDN level and the contact for exercising data subject rights.