Adobe Fonts and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses Adobe Fonts, they typically process web server log data – in particular the IP address – for the purpose of delivering web fonts, on the basis of consent or a legitimate interest in functionality and efficiency. This page explains what data Adobe Fonts processing typically involves, how the integration works technically, and which mandatory information website operators should include in their privacy policy.

A. Purpose and Functionality of Adobe Fonts

Adobe Fonts (formerly Typekit) is a cloud-based font service from the Adobe group. Website operators can license a curated selection of font families through an Adobe account and use them on their website. Technically, integration is typically done via a JavaScript snippet or a CSS reference (<link>) to the Adobe delivery domain (e.g. use.typekit.net). When a page is loaded, the visitor's browser fetches the font files directly from Adobe servers.

This article focuses on this integration function (web font delivery via Adobe servers). Adobe also offers a desktop sync for Adobe Creative Cloud applications and other services; these features lie outside the website operator's web use case and are not addressed here.

Alternatively, many Adobe fonts can be self-hosted locally where the respective font foundry's licensing terms allow. Local self-hosting transmits no data to Adobe; the font files are served from the website operator's own server.

B. Mandatory Information in the Privacy Policy When Using Adobe Fonts

The GDPR requires website operators to inform visitors transparently about data processing. In addition to general information about the controller, data subject rights and the supervisory authority, the following information is mandatory when using specific tools such as Adobe Fonts:

• the purposes of processing (Art. 13(1)(c) GDPR),
• the legal bases of processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests (Art. 6(1)(f) GDPR), the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients of personal data (Art. 13(1)(e) GDPR),
• whether data is transferred to an unsafe third country outside the EU/EEA and on what basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria for determining it (Art. 13(2)(a) GDPR),
• and – where data is not collected directly from the data subject – the categories of data processed (Art. 14(1)(d) GDPR).

These mandatory items are broken down for Adobe Fonts in the following sections.

In practice, it is not necessary to list every single tool – including Adobe Fonts – with its own text block in the privacy policy. While this practice has become widespread, it leads to long, formulaic texts that repeat themselves and make the privacy policy hard to maintain. A topic-oriented approach that describes processing operations across categories (server operation, third-party content, tracking, newsletter, etc.) and lists specific service providers in a recipient appendix is generally more appropriate and aligns better with the transparency principle in Art. 12(1) GDPR. The matterius generator follows precisely this approach.

C. Provider of Adobe Fonts

According to publicly available information from Adobe, the contracting party for website operators based in the EEA is generally

Adobe Systems Software Ireland Limited 4–6 Riverwalk, Citywest Business Campus Dublin 24, Ireland

The parent company is Adobe Inc., based in San Jose, California, USA. Within group-internal processing, data flows to the USA are possible. According to entries in the DPF list (https://www.dataprivacyframework.gov/s/participant-search), Adobe Inc. is certified under the EU-US Data Privacy Framework (DPF); website operators should verify the current status before deployment. Where DPF coverage does not apply, data transfers can typically be based on Standard Contractual Clauses (SCC).

Adobe's privacy notices are available at https://www.adobe.com/privacy/policy.html; specific information on Adobe Fonts can be found in the Trust Center and the documentation at https://helpx.adobe.com/fonts.html.

D. Adobe Fonts Data Processing – Step by Step

1. Collection: When a page that embeds Adobe Fonts is loaded, the visitor's browser establishes a direct HTTP(S) connection to Adobe servers. Adobe receives the IP address, user agent (browser, OS, device), referrer (the calling website) and technical metadata of the request.
2. Storage: According to Adobe, requests are stored in web server logs. Delivery is via a globally distributed CDN; server locations may also be outside the EU/EEA.
3. Use: Adobe uses the data to deliver the font files, ensure operations, protect against abuse and, by its own account, for statistical purposes (e.g. usage and access numbers per font family).
4. Disclosure: Adobe may involve group-internal recipients and technical sub-processors (e.g. cloud infrastructure providers). According to Adobe, no commercial disclosure to independent third parties takes place for the Fonts service.
5. Deletion: Adobe states retention periods for log data in its general privacy notices. The website operator has no direct access to this data; control options are limited to the choice of fonts embedded and to deciding whether to use Adobe Fonts or self-host locally.

E. Data Collected When Using Adobe Fonts

When a website with Adobe Fonts embedded is loaded, the following data, in particular, is transmitted to Adobe servers: IP address, date and time of the request, URL of the requested font style, referrer URL, user agent (browser name, browser version, operating system, device type) and additional technical metadata.

This data falls into the following standardised data categories:

• Web server log data: data the third party's web server receives with each request, in particular IP address, date, time, URL of the requested content, referrer, browser/OS/device information, and additional technical metadata such as response status code and data volume transferred.
• Device data: information about the user's device, e.g. device type and operating system.
• Browser information: information about the browser used, e.g. browser name and version.
• Coarse location data: approximate location of the user (city or municipality level) derivable from the IP address.
• Technical telemetry data: technical request data, e.g. response status code and data volume transferred.

F. Purposes When Using Adobe Fonts

The website operator primarily uses Adobe Fonts to deliver the website with the desired typography, ensuring a consistent appearance and good readability. The integration also serves efficient delivery via the Adobe CDN and license compliance.

The purposes fall into the following standardised categories:

• Functionality provision: providing the website's functionality, here in particular displaying text in the intended font, including error detection, error avoidance and the display of interactive content.
• Security and abuse protection: ensuring data security in font delivery, e.g. detecting and stopping attacks on the delivery infrastructure as well as bot and abuse defence by Adobe.
• General product improvement: non-user-individual adjustments to font delivery, e.g. optimisation based on frequently requested font styles.

G. Legal Bases for Using Adobe Fonts

Adobe Fonts falls into the third-party content category (web font delivery via third-party servers).

Possible legal bases include:

• Consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG: where Adobe Fonts is embedded online via Adobe servers, web server log data – in particular the IP address – is transmitted to third-party servers with every page request. A third-party content consent obtained via the consent banner is generally regarded as the appropriate basis here, in line with the assessment for Google Fonts (see below).
• Legitimate interest under Art. 6(1)(f) GDPR: with local self-hosting, no data is transferred to Adobe; in this case the processing relies on legitimate interests in functionality provision, efficiency and security. For online integration without consent, relying on legitimate interest is contested and risky given that case law on the structurally comparable Google Fonts setup (Munich Regional Court I, case no. 3 O 17493/20, judgement of 20 Jan 2022) has classified unsolicited IP transmission to third-party servers as an interference with the general right of personality.

The legal basis is case-specific and must be assessed by the website operator on the merits, particularly depending on the type of integration (online vs. self-hosted).

H. Special Considerations and Notes on Adobe Fonts

• Local self-hosting alternative: where the respective font licence permits, Adobe Fonts files can be served locally from the operator's own server. In this case, no data transmission to Adobe servers occurs on every page request.
• Third-country transfers / DPF: according to publicly available information, Adobe Inc. (USA) is listed under the EU-US Data Privacy Framework. Website operators should verify the DPF status of the specific Adobe entity at https://www.dataprivacyframework.gov/s/participant-search. Where DPF protection does not apply, Standard Contractual Clauses (SCC) come into consideration.
• DPA: for Adobe cloud services – including Adobe Fonts in connection with an Adobe account – Adobe provides a Data Processing Agreement. Whether Adobe acts as a processor or as an independent controller for web font delivery should be assessed on a case-by-case basis based on the contractual situation.
• Sub-processors: Adobe uses cloud infrastructure and group-internal entities; an up-to-date sub-processor list is provided by Adobe in its Trust Center.
• Settings for the website operator: load Adobe Fonts only after consent has been given (consent gating); alternatively, evaluate self-hosting. Pay attention to dynamic subset features (which involve additional data transmission for font optimisation).

This presentation is based on publicly available information from Adobe and other publicly available sources; it does not replace a case-by-case assessment.

I. FAQ on Adobe Fonts Data Protection

J. Conclusion on Adobe Fonts Data Protection and Next Step

Adobe Fonts enables licence-compliant use of high-quality font families on websites. From a data protection perspective, the key issue is that online embedding transmits web server log data – particularly the IP address – to Adobe servers in the USA and/or within the group on every page request. Website operators should therefore control embedding via the consent banner or evaluate local self-hosting, verify Adobe's current DPF status, and present purposes, data categories, recipients, third-country transfer and legal basis transparently in the privacy policy.

For the privacy policy itself, it is generally not useful to add a separate text block for every individual tool – including Adobe Fonts. Doing so makes the privacy policy long, unwieldy and hard to maintain and conflicts with the transparency principle in Art. 12(1) GDPR. A structured, topic-oriented approach that describes processing operations such as third-party content across the board and only lists specific providers – including Adobe – in a "Recipients" appendix is more appropriate. This is exactly what the matterius generator delivers.

K. Curator