Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Leaflet is the leading open source JavaScript library for interactive web maps. The library itself sets no cookies. The privacy impact depends on the tile provider chosen by the publisher (OpenStreetMap, Stadia Maps, MapTiler, CARTO, Mapbox).
Leaflet is the most widely used open source JavaScript library for interactive web maps. It is lightweight (around 40 KB gzipped), mobile friendly, and powers thousands of map deployments across news sites, ecommerce, governments and tourism. Leaflet itself only renders map tiles, markers, popups, polygons and overlays; it does not provide the geographic data. The publisher chooses a tile provider and a geocoder separately, which determines the privacy posture of the map.
The Leaflet library runs entirely client side. It does not write cookies, does not use local storage and does not collect any telemetry. The library can be loaded from a public CDN (unpkg, jsDelivr) or bundled with the publisher own assets. The only network calls happen when the map fetches tiles from the configured tile URL, which is the responsibility of the chosen tile provider.
EU friendly options include the OpenStreetMap tile server (operated by the OSM Foundation in the UK with European mirrors), Stadia Maps (Sweden), MapTiler (Switzerland with EU hosting), Geoapify (Germany) and CARTO with EU residency in Madrid. US options include Mapbox, CARTO with US backend, Mapquest and Bing Maps tiles. With an EU provider no consent is required because the tile request is necessary to render the requested map and stays inside the EU. With a US provider the publisher must rely on consent or document a legitimate interest test plus the EU US Data Privacy Framework.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For full data control, the publisher can self host tiles using OpenMapTiles, TileServer GL or Protomaps PMTiles served from a CDN like Bunny.net. Self hosting removes any third party transfer and any consent requirement; the tiles are delivered from the publisher own domain alongside the rest of the site. Storage cost is the trade off (a global vector tileset is about 80 GB compressed).
Choose an EU tile provider whenever possible, document the chosen provider in the privacy notice as a sub processor, sign the DPA with the tile provider if it offers one (most EU providers do), gate the map behind consent only if the tile provider is in the United States, add the integrity attribute (SRI) to the Leaflet script tag, and consider Protomaps PMTiles for fully self hosted vector tiles.
Websites using Leaflet must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for Leaflet itself. It is recommended when a US tile provider (Mapbox, CARTO US) is used because of the IP transfer to the United States. With EU tile providers (OpenStreetMap, Stadia Maps, MapTiler, CARTO Madrid) no DPIA is needed for the standard map use case. The DPIA, when needed, should document the tile provider, the IP transfer mechanism (Data Privacy Framework or SCCs), the volume of tile requests and the use of any GeoJSON overlay containing personal data.
Sample consent text
Our website displays maps powered by Leaflet, an open source JavaScript mapping library. Leaflet itself sets no cookie. The map tiles are loaded from {provider}, which receives your IP address to deliver the requested tiles. Replace {provider} with the actual tile source you use (OpenStreetMap, Stadia Maps, MapTiler, CARTO, Mapbox, self hosted). If the tile provider is in the United States, the transfer is documented in our privacy notice.
Third-party domains contacted
unpkg.comcdn.jsdelivr.netcdnjs.cloudflare.comtile.openstreetmap.orgleafletjs.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| none | N/A | N/A | The Leaflet JavaScript library does not set any cookies, local storage or telemetry. Any cookies seen on a Leaflet powered map come from the tile provider chosen by the publisher (OpenStreetMap, Stadia Maps, MapTiler, Mapbox). |
Leaflet uses cookies for user preferences — inform visitors with a consent banner.
None. Leaflet is a client side JavaScript library that sets no cookies, no local storage and no telemetry. The tile provider chosen by the publisher may set its own cookies.
For Leaflet itself, no. Consent depends on the tile provider: not required for EU providers (OpenStreetMap, Stadia Maps, MapTiler, Geoapify, CARTO Madrid); required when a US tile provider (Mapbox, CARTO US) is used because the IP is transferred to the United States.
Legitimate interest of the publisher (GDPR art. 6(1)(f)) to render the map. For the tile provider: legitimate interest plus ePrivacy exemption for EU providers, consent for US providers under GDPR art. 6(1)(a).
Only if the chosen tile provider is in the United States. EU providers like OpenStreetMap, Stadia Maps, MapTiler keep the tile requests inside the EU or under EEA equivalence. Self hosting eliminates third party transfers entirely.
Not for Leaflet itself. Recommended only when a US tile provider is used and the map is heavily used (high frequency of IP transfers).
Pick an EU tile provider, sign the DPA with the provider, list the provider in the privacy notice as a sub processor, add SRI integrity attribute to the Leaflet script, self host tiles for maximum control, gate the map behind consent only if you stick with a US provider.
OpenLayers (open source, similar functionality), MapLibre GL JS (vector tile rendering, open source fork of Mapbox GL JS), Mapbox GL JS (Mapbox specific), Apple MapKit JS, Google Maps JavaScript API. Leaflet remains the lightest and the most ecosystem rich choice with the broadest provider compatibility.
State that Leaflet itself sets no cookies. List the tile provider as a sub processor with its country and data flow. Mention the IP transfer if the provider is in the United States. Describe any geocoder or routing API separately if used.