Many enterprise websites use third-party services to deliver fonts, JavaScript libraries, and other utilities. These assets are often hosted on vendor domains like Google or Cloudflare. While this streamlines development, it introduces consent risks that are often missed in standard compliance reviews.
External Files Create External Exposure
When a browser fetches content from a third-party domain it typically transmits metadata such as the user’s IP address, browser and device details, and sometimes the referring URL. Under statutes like the EU GDPR, the California CPRA, and Virginia’s VCDPA, these categories can constitute personal data / personal information whenever they are linked, or reasonably linkable, to an identifiable person.
Some privacy frameworks require users’ informed, prior consent for certain types of data collection or sharing. However, hardcoded third-party scripts can fire as soon as a page loads, before visitors can respond to a consent banner. When those external resources gather personal data outside the site’s consent management process, they expose the organization to consent-related compliance risk.
Hardcoded Scripts Fall Outside Enforcement Systems
Consent enforcement relies on two systems: the Consent Management Platform (CMP), which stores user preferences, and the Tag Management System (TMS), which enforces them. The problem is, this operational model only applies to tags and scripts that are managed through the TMS.
Many commonly used files, such as fonts, utility libraries, or UI components, are hardcoded. This means that developers directly embed the script into a site’s code. Most of the time, these hardcoded elements execute automatically. They are not categorized, not delayed, and not evaluated against the user’s consent choices unless teams actively surface and monitor them.
Google Fonts and GDPR Compliance
Google Fonts does not set cookies, but its API requests transmit IP address and browser metadata to Google’s servers. Under the GDPR, this constitutes personal data. In 2022, a German court ruled that loading Google Fonts from Google’s servers without prior consent violated the GDPR. The decision confirmed that even utility-based assets, if hosted externally and linked to identifiable data, fall under consent requirements.
To reduce risk, privacy experts recommend:
- Blocking Google Fonts until the user consents, or
- Hosting fonts from your own domain to avoid transmitting data to external vendors
The same logic applies more broadly. Any third-party-hosted file that includes personal data in the request may require consent, regardless of whether it sets a cookie or performs tracking in a standard sense.
Undetected Violations Increase Risk
Hardcoded third-party requests cannot be governed by the TMS and often go uncategorized in the CMP. They trigger automatically and bypass reviews unless a team is actively monitoring 100% of request activity.
These types of requests (fonts, script libraries, UI components) often fly under the radar. Routine audits may overlook them entirely. If your MarTech stack is collecting user data without the ability to control or restrict it, the organization may be out of alignment with applicable consent requirements. A previously low-risk asset can become a liability quickly.
What Sentinel Insights Surfaces
Sentinel Insights monitors all outbound data activity from your site, whether the TMS manages tags or if developers embed them directly in code. This includes third-party file requests that fall outside typical consent enforcement systems.
If your team wants to review these requests and classify them, you can use Sentinel to:
- Identify which files are loading from external domains
- Determine whether they contain personal data
- Track whether they align with user consent preferences
This approach allows privacy teams to extend governance beyond tag-based workflows and maintain control over assets that would otherwise escape visibility.
