Update: 20/1/2022 – The German Court has declared Google Fonts is not in compliance with GDPR/DSGVO
Update: 1/6/2022 – In recent months Google has updated their explanation and terms of using Google Fonts; which can be found under: “What does using the Google Fonts API mean for the privacy of my users?” at https://developers.google.com/fonts/faq. Further investigation what this means for using Google Fonts as a service is under way.
We have seen with Google ReCaptcha that handling Google’s API for GDPR and other privacy laws is a tricky one, and for most, not yet handled the right way.
Google Fonts. How it works.
The Google Fonts API will request and download font files and CSS assets to provide the correct fonts when visiting a webpage. These assets will be stored in the browser’s cache and updated when needed. Different domains might share the same assets when the browser’s cache assets match. In Google’s own words:
The font files themselves are cached for one year, which cumulatively has the effect of making the entire web faster: When millions of websites all link to the same fonts, they are cached after visiting the first website and appear instantly on all other subsequently visited sites. We do sometimes update font files to reduce their file size, increase coverage of languages, and improve the quality of their design. The result is that website visitors send very few requests to Google: We only see 1 CSS request per font family, per day, per browser.
For WordPress users, this is the easiest way to add any Google Font they prefer.
A Google API request
When the visitor of, for example, fonts.com, has not yet cached the required fonts to display the page correctly a request to Google’s server will be made to acquire the correct assets and files to store in the browser and load the Google Fonts required.
And this is where it gets tricky; does the API request send anything related to personal data, according to the GDPR? What questions should we ask to see if we need to take action?
The personal data that is stored is at least an IP address from the website visitor. And yes, this is personal data according to the GDPR, as it is a unique personal identifier.
As the website owner who implemented the Google API: Do you need to ask permission or consent from the website visitor before the request to the Google server is made?
This is Google’s Privacy Statement surrounding Google Fonts:
The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently.
This vague statement suggests the storage of personal data (IP Address) after the request has been made, whether it is limited or not. So consent is required! This means the website cannot load Google Fonts from the Google servers without getting consent first: the website needs to block Google Fonts, request consent, and finally, after consent is given, load the fonts.
Implications of blocking Google Fonts before consent
Blocking the Google Fonts API before consent is given means the webpage only shows correctly (with the correct fonts) if any of the following are correct:
- The cache of the website visitor already contains the exact Font Files and CSS assets requested by the stylesheet of the webpage.
- The website visitor has given consent prior, and the request is made.
It won’t show correctly if the cache is empty and:
- Consent is not given yet.
- Privacy settings of the browser refuse consent by default.
The third possibility is that you do not ask consent for Google Fonts and still load them, which means you’re not fully GDPR compliant.
This means that your site may render without the fonts you carefully selected. But there’s always a way to be GDPR Proof & serve your webpage correctly.
Solutions that serves both you and GDPR
We will give the obvious answer: self-hosting your Google Fonts.
There are many ways to self-host your Google Fonts, either by configuring it yourself or installing a plugin to handle it correctly. Read in our article on self-hosting Google Fonts how you can do this.