ZenovayTools

CDN Privacy Risk Auditor

Detect third-party CDN dependencies that leak visitor IPs to external data controllers. Find Google Fonts, reCAPTCHA, YouTube embeds, and more.

How to Use CDN Privacy Risk Auditor

  1. 1Enter your website URL.
  2. 2The tool detects all external CDN resource calls (fonts, scripts, embeds).
  3. 3Review each CDN dependency with GDPR risk level and data leaked.
  4. 4See which resources are self-hostable and get alternatives.
Zenovay

Track your website performance

Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.

Try Zenovay Analytics — Free

Related Tools

GA4 Health CheckerAudit your Google Analytics 4 setup for duplicate tracking, consent mode issues, deprecated UA scripts, and data layer problems.
Analytics AdvisorCompare 14+ analytics platforms on pricing, privacy compliance, features, and GDPR readiness. Find the right tool for your needs.
Privacy Policy AuditorDetect third-party scripts on your site and check if each one is properly disclosed in your privacy policy. Get a compliance score.
Privacy Law CheckerAnalyze your website to determine which privacy laws (GDPR, CCPA, LGPD, PIPEDA, APPI) apply based on audience signals.

Frequently Asked Questions

Why are CDNs a privacy risk?
When your website loads resources (fonts, scripts, images) from third-party CDNs, the CDN provider receives your visitors' IP addresses, User-Agent strings, and referrer headers. Under GDPR, IP addresses are personal data, making this a data transfer that may require consent or a legal basis.
What is the GDPR risk of Google Fonts?
In January 2022, a German court (LG Munich) ruled that embedding Google Fonts from Google servers violates GDPR because it transmits visitor IP addresses to Google in the US without consent. The court awarded EUR 100 damages per visitor. Self-hosting Google Fonts eliminates this risk entirely.
What does "self-hostable" mean?
A self-hostable resource is one you can download and serve from your own server or CDN, eliminating the third-party data transfer. For example, Google Fonts can be downloaded and served locally, while Google reCAPTCHA requires connecting to Google's servers to function.
Are all CDNs equally risky?
No. CDNs operated by advertising companies (Google, Meta) pose higher risks because the data may be combined with advertising profiles. Infrastructure CDNs like Cloudflare or jsDelivr are generally lower risk as they primarily serve static files without tracking.
How can I fix high-risk CDN dependencies?
For fonts: self-host them or use EU-hosted alternatives like Bunny Fonts. For widgets: replace Google reCAPTCHA with Turnstile or Friendly Captcha. For analytics: switch to privacy-first alternatives like Zenovay Analytics. For scripts: self-host jQuery, Bootstrap, etc.
Does this scan detect all CDN connections?
This tool analyzes the HTML source for known CDN patterns across 23 profiles. It detects resources loaded in the initial HTML but may miss dynamically loaded resources that are injected by JavaScript after page load.